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U.S. House of Representatives 
Committee on Science, Space, and Technology 
Subcommittee on Oversight 

HEARING CHARTER 

The Role of the White House Chief Technology Officer 
in the HealthCare.gov Website Debacle 

Wednesday, November 19, 2014 
1 0:00 a.m. - 12:00 p.m. 

23 1 8 Rayburn House Office Buildjng 


Purpose 

On Wednesday, November 19, 2014, the Subcommittee on Oversight will hold a hearing 
titled. The Role of the White House Chief Technology Officer in the HealthCare.gov Website 
Debacle. 

On September 1 7, 20 1 4, the Subcommittee on Oversight approved a resolution to authorize 
the issuance of a subpoena ad testificandum to Mr. Todd Park, former Chief Technology Officer 
(CTO) of the United States, Office of Science and Technology Policy (OSTP). The subpoena 
compels Mr. Park’s appearance before the Subcommittee to explain his role in the development and 
rollout of the HealthCare.gov website that Health and Human Services (HHS) Secretary Kathleen 
Sebelius called a “debacle”’ with a recently estimated cost of over $2 billion.^ Despite Mr. Park 
denying knowledge of security and testing concerns with HealthCare.gov prior to the rollout of the 
website, the Committee has reviewed many emails where Mr. Park demonstrates an in-depth 
knowledge of these issues prior to October 1, 2013. This hearing will cover what Mr. Park knew 
and what he reported to other senior White House officials. 

In late August, the White House announced that Mr. Park would step down as CTO to take a 
new role in the Administration as technical advisor to the White House, working from Silicon 
Valley. 

Witness 


• Mr. Todd Park, former Chief Technology Officer of the United States, Office of Science 
and Technology Policy 


’ Bill Chappell, “Sebelius Calls For Review of HHS Practices That Led To Debacle,” NPR, December H, 2013, 
available at; httD:/7www. nDr.org/bloes/thetwo-wav/20 1 3/1 2/1 l/2.‘i0207327/sebelius.callS'for-review-of-hhs-Dractices- 
that-led-to-debacle . 

“ Alex Wayne, “Obamacare Website Costs Exceed $2 Billion, Study Finds,” Bloomberg, September 24, 2014, available 
at: http://www.bioombere.com/news/2014-09-24/obamacare-website-costs-exceed-2-billion-studv-Finds.html . 
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Background 

As U.S. CTO, Mr. Park declined five invitations to testify before the Committee about his 
knowledge and involvement with the development of HealthCare.gov, including its cybersecurity 
standards and protocols. Over the course of several letters, OSTP has claimed: 

• It “has not been substantially involved in the privacy and security standards that are in place for 
healthcare.gov.”^ 

• Neither “Mr. Park nor any other OSTP staff member is in a position to testify on the data 
security standards of the website. Indeed, when asked about the security features of the 
HealthCare.gov website during a hearing.. .before another committee, Mr. Park explained that 
he has not been working on these issues.”'* 

• Mr. Park and “OSTP personnel have not been substantially involved in developing or 
implementing the Federally Facilitated Marketplace’s (FFM) security measures.... Mr. Park is 
not a cybersecurity expert; he did not develop or approve the security measures in place to 
protect the website, and he does not manage those responsible for keeping the site safe.”^ 

Further, while testifying under oath when subpoenaed by the Oversight and Government 
Reform Committee last November, Mr. Park said that he did not “actually have a really detailed 
knowledge base” of the website before it was launched and was “not deeply familiar with the 
development and testing regimen that happened prior to October 1 

However, documents received by the Science Committee over the summer and this past 
month from the Committee’s subpoena of Mr. Park’s records raise serious questions of Mr. Park’s 
denial that he was not knowledgeable or familiar with the development, testing, and security 
concerns relative to the HealthCare.gov website. 

HealthCare.gov 

On October 1, 2013, under the provisions of the Patient Protection and Affordable Care Act 
(ACA), the Administration launched HealthCare.gov, a federally-operated health insurance 
exchange website to help uninsured people find health care coverage. 

The data passing through the HealthCare.gov website is one of the largest collections of 
personal information ever assembled, linking information from seven different federal agencies as 
well as state agencies and government contractors. When launched last year, users attempting to 
gain information on potential healthcare coverage through the website were required to input 


^ November 8, 2013, Letter from OSTP to SST Committee. 

November 14, 2013 Letter from OSTP to SST Committee. 

^ July 3, 2014, Letter from OSTP to SST Committee. 

* “Obamacare Implementation - The Rollout of HealthCare.gov, " House Oversight and Government Reform 
Committee, November 13, 2013, available at: httD://oversight. ho use.gov/hearintt/obamacare-imDiementation-rollout- 
heajthcare-gov . 
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personal contact information, birth dates and social security numbers for all family members, in 
addition to household salary, and other personal data. 

Federal agencies have an obligation to ensure that these private records have sufficient 
protection from misuse and security breaches under the Federal Information Security Management 
Act (FISMA). Flowever, according to documents from the Department of Health and Human 
Services (HHS), the security of the healthcare website had not been fully tested when it was 
launched last year,’ and cybersecurity experts at a November 2013 hearing before the Science 
Committee expressed concern about flaws in the wehsite that put the personal data of Americans 
using the website at risk of identity theft from cybercriminals/hackers.* 

The Committee oversees the agencies responsible for setting cyber privacy and security 
policies and standards for the rest of the federal government - the National Institute for Standards 
and Technology (NIST) and the White House Office of Science and Technology Policy. 

On October 31, 2013, the Committee sent the first letter to Mr. Todd Park, then-U.S. CTO,^ 
requesting that he testify at a hearing on November 19, 2013, to address the Committee’s concerns 
about the lack of privacy standards for personal information passing through the HealthCare.gov 
website and the threat posed to Americans if hackers on the Internet gained access to such 
information. The Committee’s specific interest in questioning Mr. Park was based on several 
factors: 

• Prior to his position as U.S. CTO, Mr. Park was the CTO at HHS, where he “led the successful 
execution of an array of breakthrough initiatives, including the creation of HealthCare.gov.”’® 

• As the U.S. CTO, Mr. Park worked at OSTP and was considered part of OSTP leadership. 

While there he focused on “how technology policy and innovation can advance the future of our 
nation.”" According to his biography, previously available on OSTP’s website, Mr. Park is “a 
highly accomplished health IT entrepreneur”" who together with Mr. Jeff Zients, “assembled 
and led the tech surge that overhauled HealthCare.gov. ultimately enabling millions of 
Americans to sign up for quality, affordable health insurance.”" 

• In written testimony before the Committee two years ago. Dr. John Holdren, OSTP Director, 
explained that; 


’ Robert Pear and Eric Lipton, “Health Website Official Tells of White House Briefings,” The New York Times, 
November 13, 2013, available at: http://www.nvtimes.eom/2013/l l/l4/us/officials-sav-thev-dont-kiiow-cost-of-health- 
webslte-flxes.htmr? r=0 . 

* Matthew J. Belvedere, “No Security Ever Built Into Obamacare Site: Hacker,” CNBC.com, November 25, 2013, 
available at: httD://www.cnbc.com/i d/I 01 225308 . 

^ Mr. Park resigned his position as U.S. CTO on August 29, 2014, per an e-mail from OSTP to the Committee. 

White House Blog, “Todd Park Named New U.S. Chief Technology Officer,” March 9, 2012, available at: 
http://www.whitehouse.gov/blog/2012/03/09/todd-park-named-new-us-chlef-technologv-offlcer . 

” OSTP website, Todd Park bio, previously available at: 
http://www.whitehouse.gov/administration/eop/ostp/about/leadershipstafy/park . 

Ibid. 

Ibid. 
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“OSTP also supports me in my role as Assistant to the President for Science and Technology 
and the U.S. Chief Technology Officer, who sits in OSTP, in our functions advising the 
President on S&T dimensions of the policy challenges before the Nation, including 
strengthening the economy and creating jobs, improving healthcare and education, 
enhancing the quality of the environment, and advancing national and homeland security.”^'’ 

The Science Committee’s interest in hearing from Mr. Park intensified with the acquisition 
of documents from the Oversight and Government Reform Committee that identified Mr. Park as a 
White House co-chair of the Affordable Care Act Information Technology Exchanges Steering 
Committee.’^ According to these documents, the stated mission of this HeaithCare.gov Steering 
Committee is to support the timely and efficient resolution of barriers to assure the implementation 
of “consumer-centric” health insurance exchanges. The Steering Committee’s Charter explicitly 
directs its participants “to promote resolution to key IT strategy and policy issues that impede 
progress on Affordable Care Act activities across the federal government and with the state 
exchanges,” and to “direct the formulation of work groups to identify barriers, develop or identify 
promising practices to support efficiencies, and develop option papers for the Committee’s 
consideration.” The ACA Exchanges Steering Committee oversees both security and privacy 
interagency working groups. 

Previous Hearings 

When the site was launched on October 1, 2013, it was plagued with operational problems. 
In light of the myriad problems facing the website, on November 19, 2013, the Committee held a 
hearing to explore the threat posed by identity theft to Americans if hackers acquired such 
information through the EIealthCare.gov website. The hearing also examined issues related to the 
website’s security controls and potential vulnerabilities by inviting cybersecurity experts to discuss 
what specific security standards and technical measures should be in place to protect Americans’ 
privacy and personal information on HealthCare.gov. 

The Committee revisited these issues in a subsequent hearing on January 16, 2014,’^ which 
provided Members with an updated assessment ofHealthCare.gov to determine the likelihood of 
personal information being accessed or compromised from an attack on the website. The hearing 
also examined the potential consequences of identity theft to Americans if hackers with malicious 
intent gained personal information through the website. At the conclusion of the hearing, Chairman 


SST hearing, “Examining the Priorities and Effectiveness of the Nation’s Science Policies,” June 20, 2012, available 
at: http://science.house.gov/hearing/full-CQmmittee-hearing-examining-priorities-and-effectiveness- 
natiQn%E2%80%99s-science-poiicies . 

SST Majority StaffReport, “Did the White House Knowingly Put Americans’ Sensitive Information at Risk? 
Committee Seeks to Clarify Contradictions Surrounding Senior White House Official’s Role in Developing 
HealthCare.gov,” October 2014, available at: 

http://science.edgeboss.net/sst20 1 4/documents/October%2020 1 4%20Todd%20Park%20Maioritv%20Sta£f%20Report.p 

df. 

SST hearing, “Is My Data on Heallhcare.gov Secure?” November 19, 2013, available at: 
http://science.house.gov/hearing/full-committee-hearing-mY-data-hcalthcaregov-secure . 

SST hearing, “Heajthcare.gov: Consequences of Stolen Identity,” January 16, 2014, available at: 
http://science.house.gov/hearing/full-committee-hearing-healthcaregQv-consequences-slolen-identitv . 
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Smith called on the President to formally certify the safety requirements, security standards and 
privacy conditions ofHeaIthCare.gov. 

Questions Remain 

One year later, concerns about the HealthCare.gov website’s security still remain with the 
second Open Enrollment period for HealthCare.gov. Despite the improved functionality since the 
flawed October 1 st launch, it is unclear how much work has been done to address the privacy and 
security aspects of that functionality, which were concerns raised in the Committee’s prior hearings. 

• According to news reports over the past few months, the Centers for Medicare and Medicaid 
Services “denied a request by The Associated Press under the Freedom of Information Act for 
documents about the kinds of security software and computer systems behind the federally 
funded HealthCare.gov.”’* 

• News stories in September also reported that a “hacker broke into part of the HealthCare.gov 
insurance enrollment website in July and uploaded malicious software.”'^ 

• A recent U.S. Government Accountability Office review of the website made the following 
observation: “Healthcare.gov had weaknesses when it was first deployed, including incomplete 
security plans and privacy documentation, incomplete security tests, and the lack of an alternate 
processing site to avoid major service disruptions.”^” This report also finds; “[Wjeaknesses 
remain both in the processes used for managing information security and privacy, as well as the 
technical implementation of IT security controls.”^' 

• And in a recent news conference, the President reportedly said, “We’re really making sure the 
website works super well before the next open enrollment period. We’re double-and triple- 
checking it.”^^ However, the same news article reports that while HealthCare.gov performed 
better than last year, consumers in Virginia for example, “were having a hard time logging into 
their accounts retrieving old passwords and proving they were who they said they were - a 
process known as identity proofing, which also vexed many people last fall.”^^ 


Jack Gillum, “US Won’t Reveal Records on Health Website Security,” Associated Press, August 21, 2014, available 
at: http://ww^.federa]newsradio.com/458/3684543/US-wont-reveal-record5-on-heahh-website-securitv . 

’’ Danny Yadron, “Hacker Breached Hea!thCare.gov Insurance Site,” The Wall Street Journal, September 4, 2014, 
available at: httn://online. wsi.com/articles/hacker-breached-healthcare-gov-insurance-site-14Q986IQ43 . 

“HealthCare.gov - Actions Needed to Address Weaknesses in Information Security and Privacy Controls,” GAO, 
September 16, 2014, available at: http://www.gao.gov/products/GAO-14-730 . 

■■ Robert Pear and Abby Goodnough, “Some New Frustrations as Health Exchange Opens,” New York Times, 
November 15, 2014, available at: http://www.nvtimes.com/20 1 4/1 1 /i 6/us/health-insurance-marketplace- 
opens.html?rref=us&module=ArrowsNav«S:;contentCollection^U.$.&action=kevpress&region=FixedRight&pgtvpe-arti 
cje. 

Ibid. 


Page 1 5 



8 


Chairman Broun. This hearing of the Subcommittee on Over- 
sight will come to order. Without objection, the Chair is authorized 
to declare recesses of the Committee at any time. 

Good morning, and welcome to today’s hearing. In front of you 
are packets containing the written testimony, biography, and truth- 
in-testimony disclosure for today’s witness. I now recognize myself 
for five minutes for an opening statement. 

I want to thank my colleagues for being here today, and I want 
to especially thank our witness for his presence. We have been 
waiting a very long time to be able to question you, sir. I am sorry 
that we had to come to the point of issuing you a subpoena to get 
that to happen, but I am glad that you are here today, sir. 

In fact, the Committee has invited you several times before on 
five different occasions. We wrote directly to you, Mr. Park, as well 
as to the Director of the Office of Science and Technology Policy. 
None of those invitations elicited the “yes” response that we got as 
a result of issuing you a subpoena. 

In the course of our correspondence, several claims were made by 
OSTP as to why you were not the individual to answer the Com- 
mittee’s questions, such as: that you and OSTP personnel have not 
been substantially involved in developing or implementing the Fed- 
erally Facilitated Marketplace’s security measures; that you did not 
develop or approve the security measures in place to protect the 
website; that you do not manage those responsible for keeping the 
site safe; and that you are not a cyber security expert, which is an 
interesting description of you to say the least. You are the co- 
founder of Athenahealth, which you co-developed into one of the 
most innovative health IT companies in the industry and become 
very wealthy, in fact, doing that. As a government employee, you 
helped launch the President’s Smarter IT Delivery Agenda, which 
created the new U.S. Digital Service, and you created the beta 
version of HealthCare.gov. How do these activities not require 
cybersecurity expertise? 

Further, on November 13, 2013, in testimony, sworn testimony, 
before the Committee on Oversight and Government Reform, you 
said that you did not, to quote you, “actually have a really detailed 
knowledge base” of the website before it was launched, and that 
you were, again quoting you, “not deeply familiar with the develop- 
ment and testing regimen that happened prior to October 1.” 

However, the Committee has in its possession documents that 
appear to contradict much of what you have said in your prior Con- 
gressional appearance, again under oath, as well as what OSTP 
has explained to this Committee. 

But these documents were not easy to come by, despite request- 
ing them in a letter last December, and despite preparing to ask 
about them in a briefing OSTP arranged on your behalf in Sep- 
tember — a briefing that was canceled the evening before it was 
scheduled to take place when your colleagues were informed it 
would be transcribed. 

Mr. Park, I find your and the White House’s lack of transparency 
intolerable and an obstruction to this Committee’s efforts to con- 
duct oversight. It took a subpoena to get you here, sir. It took an- 
other subpoena to compel your documents from the White House, 
but even with that, we have yet to receive all of your documents 
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in compliance with our subpoena issued on September 19, exactly 
2 months ago. 

As a gesture of good faith, Committee staff have engaged in mul- 
tiple in-camera reviews with White House lawyers, yet there are 
still documents being withheld from the Committee without a claim 
of a legally recognized privilege. That begs the question: What are 
you hiding, Mr. Park? 

I have some theories about the answer to that question. Perhaps 
it is that you knew there were serious problems with 
HealthCare.gov prior to the launch but you did not convey them up 
the chain in your briefings with the President. Or, perhaps you did, 
and they were ignored because of this Administration’s relentless 
pursuit to launch HealthCare.gov on October 1, 2013, no matter 
the consequences. 

Now here we are, a year later and fresh into the beginning of the 
second open enrollment, with questions that still remain about this 
$2 billion debacle you are credited with fixing — a debacle that, I 
might add, got hacked this summer and that, according to a recent 
Government Accountability Office report, still has weaknesses, as 
they say “both in the processes used for managing information se- 
curity and privacy, as well as the technical implementation of IT 
security controls.” 

We look forward to this opportunity to ask you some of our ques- 
tions, Mr. Park. 

I also now ask unanimous consent to submit documents for the 
record, which will be referenced in some of our questions. Without 
objection, so ordered. 

[The information appears in Appendix II] 

Chairman Broun. Before I yield to the Ranking Member, Eddie 
Bernice Johnson, my friend from Texas, and because of some con- 
flict with the Democrats, we will come back to Mr. Swalwell’s state- 
ment later on, I might add that this is likely my last time chairing 
this Subcommittee on Oversight for a hearing, and I would like to 
thank my friends on both sides of the aisle, especially Chairman 
Smith, for a productive two years of hard work on this Sub- 
committee. Our staff, both Democrat and Republican, worked very 
hard. We worked together in as bipartisan manner as possible. We 
might not have agreed on all the issues. Some issues we did, some 
we didn’t. But it has been a very productive two years, I think, and 
I have been very privileged to Chair this Subcommittee. I wish you 
all well next year. 

[The prepared statement of Mr. Broun follows:] 

Prepared Statement of Subcommittee on Oversight 
Chairman Paul Broun 

Good morning. I want to thank my colleagues for being here today and I want 
to especially thank our witness for his presence — we have been waiting a very long 
time to question you, sir. 

In fact, the Committee has invited you to testify before us on five different occa- 
sions. We wrote directly to you, Mr. Park, as well as to the Director of the Office 
of Science and Technology Policy. None of those invitations elicited the “yes” re- 
sponse we got as a result of issuing you a subpoena. 

In the course of our correspondence, several claims were made by OSTP as to why 
you were not the individual to answer the Committee’s questions, such as: 
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• That you and OSTP personnel have not heen substantially involved in devel- 
oping or implementing the Federally Facilitated Marketplace’s security meas- 
ures; 

• That you did not develop or approve the security measures in place to protect 
the website; 

• That you do not manage those responsible for keeping the site safe; and 

• That you are not a cybersecurity expert — which is an interesting description of 
you to say the least. You are the co-founder of Athenahealth, which you co-de- 
veloped into one of the most innovative health IT companies in the industry. 
As a government employee, you helped launch the President’s Smarter IT Deliv- 
ery Agenda, which created the new U.S. Digital Service. and you created the 
beta version of HealthCare.gov — how do these activities not require 
cybersecurity expertise? 

Further, on November 13, 2013, in testimony before the Committee on Oversight 
and Government Reform, you said that you did not “actually have a really detailed 
knowledge base” of the website before it was launched, and that you were “not deep- 
ly familiar with the development and testing regimen that happened prior to Octo- 
ber l.”i 

However, the Committee has in its possession documents that appear to con- 
tradict much of what you have said in your prior Congressional appearance, as well 
as what OSTP has explained to this Committee. 

But these documents were not easy to come by, despite requesting them in a let- 
ter last December, and despite preparing to ask about them in a briefing OSTP ar- 
ranged on your behalf in September — a briefing that was cancelled the evening be- 
fore it was scheduled to take place when your colleagues were informed it would 
be transcribed. 

Mr. Park, I find your and the White House’s lack of transparency intolerable and 
an obstruction to this Committee’s efforts to conduct oversight. It took a subpoena 
to get you here. It took another subpoena to compel your documents from the White 
House, but even with that, we have yet to receive all of your documents in compli- 
ance with our subpoena issued on September 19th, exactly two months ago. As a 
gesture of good faith. Committee staff have engaged in multiple in camera reviews 
with White House lawyers, yet there are still documents being withheld from the 
Committee without a claim of a legally recognized privilege. That begs the ques- 
tion — what are you hiding, Mr. Park? 

I have some theories about the answer to that question. Perhaps it is that you 
knew there were serious problems with HealthCare.gov prior to the launch but you 
did not convey them up the chain in your briefings with the President. Or, perhaps 
you did, and they were ignored because of this Administration’s relentless pursuit 
to launch HealthCare.gov on October 1, 2013, no matter what the consequences. 

Now here we are, a year later and fresh into the beginning of the second Open 
Enrollment, with questions that still remain about this $2 billion dollar debacle you 
are credited with fixing — a debacle that, I might add, got hacked this summer and 
that, according to a recent Government Accountability Office report, still has weak- 
nesses “both in the processes used for managing information security and privacy, 
as well as the technical implementation of IT security controls.” 

We look forward to this opportunity to ask you some of our questions. 

Before I 3 deld to Mr. Swalwell for his opening statement, let me just add that this 
is likely my last time chairing an Oversight Subcommittee hearing, and I would like 
to thank my friends on both sides of the aisle — especially Chairman Smith — for a 
productive two years of hard work on this Subcommittee. I wish you all well next 
year, and I now recognize Mr. Swallwell. 

Chairman Broun. I now recognize our Ranking Member, Ms. 
Eddie Bernice Johnson, for her statement. You are recognized for 
five minutes. 

Ms. Johnson. Thank you, Mr. Chairman, and let me express my 
appreciation for your service, since this might very well be your 
last chairing of this Committee, and wish you well in the future. 


^“Obamacare Implementation-The Rollout of HealthCare.gov,” House Oversight and Govern- 
ment Reform Committee, November 13, 2013, available at: http://oversight.house.gov/wp-content/ 
uploads/2014/06/1 1-13-13-TRANSCRIPT-Obamacare-Implementation-The-Rollout-of- 
HealthCare.gov — .pdf. 
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We have maintained a great relationship, although I must say that 
probably 99.9 percent of the time we disagree. 

But I want to welcome Mr. Park, the former Chief Technology 
Officer of the United States, to this Committee hearing, and I ap- 
preciate, Mr. Park, your willingness to appear before us. I want to 
apologize to you for all the political theater that is unfolding 
around your appearance. Please keep in mind that this hearing is 
largely an excuse for the majority to again express their dislike for 
the Affordable Care Act and the online Marketplace that has led 
millions of Americans to find medical coverage. I know that they 
do not like Obamacare. The Majority has voted at least some 53 
times during this Congress to repeal or dismantle the ACA. 

Nevertheless, I want to ask all Members here today to please re- 
member that Mr. Park is not personally responsible for the ACA, 
nor is he responsible for the problems on October 1, 2013. 

Mr. Park, it is clear that you were not responsible for how the 
website performed last October 1st. In doling out responsibility for 
its performance on day one, I think it was fair to assign you zero 
percentage of the responsibility, which reflects the degree of your 
actual involvement in developing the website. 

Of course, your job at the White House put you in a position to 
have more insight than most into how the Centers for Medicare 
and Medicaid Services were doing in developing the program, but 
the management of the program was up to CMS. And the people 
doing the actual development work were contractors who legally 
answered to CMS. As I am sure you would agree, insight into what 
is going on does not equate to being intimately involved or directly 
responsible for the website. And of course your real job as CTO 
during that period had you leading multiple interagency initiatives 
designed to push technology into the American economy and across 
society. For example, you were working to make U.S. government 
data more easily accessible by the public, which can spur innova- 
tion, profits and jobs, as has been amply demonstrated by the way 
that publicly available National Weather Service data has spawned 
a multibillion-dollar weather forecasting industry. 

Mr. Park, I think it is fair to say that fundamentally you were 
working to make services of the government more readily available 
to citizens during your tenure as CTO. You were working to help 
reduce information costs in various areas of the economy, notably 
your green button initiative to let consumers get a better idea 
about energy consumption and sourcing. You were facilitating dia- 
logues across communities to bring experts on particular social 
issues face-to-face with experts from the IT world. Laudably, you 
were a part of an initiative aimed at stopping human trafficking 
and another initiative designed to find ways to harness IT more ef- 
fectively in disaster response. 

I know that as I cite these examples, I am just scratching the 
surface of the scope of your day job as CTO of the United States. 
Regrettably, the Committee has made no effort to understand this 
broad portfolio of your accomplishments there, and has shown little 
appreciation for your patriotic desire to serve, even though it 
meant leaving the lucrative world of Silicon Valley IT startups and 
venture capital. From the bottom of my heart, I want to thank you 
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for all you did and tried to do, including joining the team tasked 
with fixing the HealthCare.gov site after October 1st. 

I hope your experience with this Committee won’t diminish your 
sense of pride in your accomplishments or dampen your enthu- 
siasm for public service. We need people like you to be willing to 
come serve this country. 

Thank you, and I yield back. 

[The prepared statement of Ms. Johnson follows:] 

Prepared Statement of Full Committee 
Ranking Member Eddie Bernice Johnson 

Mr. Chairman, I want to welcome Mr. Park, the former Chief Technology Officer 
of the United States, to this Committee hearing. I appreciate your willingness to ap- 
pear before us, Mr. Park, and I want to apologize to you for all the political theater 
that is unfolding around your appearance. 

Please keep in mind that this hearing is largely an excuse for the Majority to 
again express their dislike for the Affordable Care Act and the online-Marketplace 
that has let millions of Americans find medical coverage. I know that they do not 
like Obamacare — the Majority have voted in the House some 53 times during this 
Congress to repeal or dismantle the ACA. Nevertheless, I want to ask all Members 
here today to please remember that Mr. Park is not personally responsible for the 
ACA, nor is he responsible for the problems on October 1, 2013. 

Mr. Park, it is clear that you were not responsible for how the website performed 
last October 1. In doling out responsibility for its performance on day one I think 
it’s fair to assign you 0 % of the responsibility, which reflects the degree of your 
actual involvement in developing the website. 

Of course, your job at the White House put you in a position to have more insight 
than most into how the Centers for Medicare and Medicaid Services were doing in 
developing the program, but the management of the program was up to CMS. And 
the people doing the actual development work were contractors who legally an- 
swered to CMS. As I’m sure you would agree, insight into what is going on does 
not equate to being intimately involved or directly responsible for the website. 

And of course your real job as CTO during that period had you leading multiple 
interagency initiatives designed to push technology out into the American economy 
and across society. For example, you were working to make U.S. government data 
more easily accessible by the public, which can spur innovation, profits, and jobs, 
as has been amply demonstrated by the way that publicly available National Weath- 
er Service data has spawned a multi-billion dollar weather forecasting industry. 

Mr. Park, I think it is fair to say that fundamentally you were working to make 
services of the government more readily available to citizens during your tenure as 
CTO. You were working to help reduce information costs in various areas of the 
economy, notably your “green button” initiative to let consumers get a better idea 
about energy consumption and sourcing. You were facilitating dialogues across com- 
munities to bring experts on particular social issues face-to-face with experts from 
the IT world. Laudably, you were a part of an initiative aimed at stopping human 
trafficking and another initiative designed to find ways to harness IT more effec- 
tively in disaster response. 

I know that as I cite these examples, I am just scratching the surface of the scope 
of your day job as CTO of the United States. Regrettably, the Committee has made 
no effort to understand this broad portfolio or your accomplishments there, and has 
shown little appreciation for your patriotic desire to serve, even though it meant 
leaving the lucrative world of Silicon Valley IT start-ups and venture capital. 

From the bottom of my heart, I want to thank you for all you did and tried to 
do, including joining the team tasked with fixing the healthcare.gov site after Octo- 
ber 1. I hope your experience with this Committee won’t diminish your sense of 
pride in your accomplishments or dampen your enthusiasm for public service. We 
need people like you to be willing to come serve the country. 

Chairman Broun. Thank you, Ms. Johnson. I disagree with you 
about a couple of issues. One is that we have recognized Mr. Park’s 
accomplishments and responsibilities outside of being involved in 
HealthCare.gov. In fact, he himself has said he has not been deeply 
involved, though there are emails that we have and that you have 
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that show otherwise. So it is not zero involvement, and it seems to 
be the mantra of this Administration that people are zero involved 
and have no responsibility for issues, but thank you, Ms. Johnson. 

I now recognize the full Committee Chairman, Mr. Lamar Smith, 
for five minutes. 

Chairman Smith. Thank you, Mr. Chairman. 

Americans have seen firsthand the misrepresentations that sur- 
round Obamacare. First, there was the President’s broken promise 
that “If you like your health care plan, you can keep it.” Then, in 
a video that surfaced last week, MIT professor Jonathan Gruber, 
a principal architect of Obamacare, admitted how the Administra- 
tion sold this to the American people, saying “Lack of transparency 
is a huge political advantage. Basically, call it the stupidity of the 
American voter or whatever, but basically that was really, really 
critical to getting the thing [Obamacare] to pass.” 

Finally, after a year of requests by this Committee, the Adminis- 
tration has agreed to have someone who worked in the White 
House testify about the lack of security of the HealthCare.gov 
website. Mr. Todd Park was the White House Chief Technology Of- 
ficer for the Office of Science and Technology Policy from March 
2012 to August 2014. 

Joining the Obama Administration in the Department of Health 
and Human Services, Mr. Park was one of the principal architects 
for the HealthCare.gov website. Former Health and Human Serv- 
ices Secretary Kathleen Sebelius later called this website “a deba- 
cle” with a recent estimated cost of $2 billion. 

Today we will review the White House’s repeated misinformation 
about the HealthCare.gov website. Mr. Park’s own emails show an 
in-depth, detailed knowledge about cybersecurity issues with the 
website. He was the primary spokesperson for the White House 
about the website and the website’s security. Mr. Park directed sev- 
eral contractors to review the security of the website. 

On October 10th, soon after the website went operational, Mr. 
Park read an online article by David Kennedy, a white hat hacker 
who has testified twice before this Committee. Mr. Kennedy’s arti- 
cle was titled “Is the Affordable Care Website Secure? Probably 
Not.” Mr. Park commented in an email how he was advised that 
“these guys are on the level.” We are asking Mr. Park to explain 
his role in developing the $2 billion website and what the Adminis- 
tration knew about the security risks of the website. 

As of today, the White House still has failed to provide this Com- 
mittee with all the documents that are subject to the subpoena. 
The ones we do have paint a far different picture than that of the 
Office of Science and Technology Policy. 

As I mentioned, the Committee has not received all of the emails 
and other documents that were subject to the subpoena so another 
hearing may well be necessary. 

Finally, I want to take a moment to thank the Chairman of the 
Oversight Subcommittee, Dr. Paul Broun, for his tireless efforts on 
this subject as well as so many other subjects that have come be- 
fore this Subcommittee. We appreciate his public service and his 
dedication over the years to his constituents, to Congress, and to 
our country. So Chairman Broun, thank you again for all you have 
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done. We appreciate all your great work, and I look forward to to- 
day’s hearing. 

[The prepared statement of Mr. Smith follows:] 

Prepared Statement of Full Committee Chairman Lamar S. Smith 

Americans have seen first-hand the misrepresentations that surround Obamacare. 
First, there was the President’s broken promise that “If you like your health care 
plan, you can keep it.” 

Then, in a video that surfaced last week, MIT professor Jonathan Gruber, a prin- 
cipal architect of Obamacare, admitted how the Administration sold this to the 
American people, saying: 

“Lack of transparency is a huge political advantage. Basically, call it the stu- 
pidity of the American voter or whatever, but basically that was really, really 
critical to getting the thing [Obamacare] to pass.” 

Finally, after a year of requests by this Committee, the Administration has agreed 
to have someone who worked in the White House testify about the lack of security 
of the HealthCare.gov website. Mr. Todd Park was the White House Chief Tech- 
nology Officer for the Office of Science and Technology Policy (OSTP) from March 
2012 to August 2014. 

Joining the Obama Administration in the Department of Health and Human 
Services, Mr. Park was one of the principal architects for the HealthCare.gov 
website. Former Health and Human Services (HHS) Secretary Kathleen Sebelius 
later called this website “a debacle” with a recent estimated cost of $2 billion. 

Today we will review the White House’s repeated misinformation about the 
HealthCare.gov website. 

Mr. Park’s own emails show an in-depth, detailed knowledge about cybersecurity 
issues with the website. He was the primary spokesperson for the White House 
about the website and the website’s security. 

Mr. Park directed several contractors to review the security of the website. On 
October 10th — soon after the website went operational — Mr. Park read an online ar- 
ticle by David Kennedy, a white hat hacker who has testified twice before this Com- 
mittee. 

Mr. Kennedy’s article was entitled “Is the Affordable Care Website Secure? Prob- 
ably Not.” Mr. Park commented in an email how he was advised that “these guys 
are on the level.” 

We’re asking Mr. Park to explain his role in developing the $2 billion website and 
what the Administration knew about the security risks of the website. 

As of today, the White House still has failed to provide this Committee with all 
the documents that are subject to the subpoena. The ones we do have paint a far 
different picture than that of the Office of Science and Technology Policy. 

As I mentioned, the Committee has not received all of the emails and other docu- 
ments that were subject to the subpoena. So another hearing may well be necessary. 

Finally, I want to take a moment to thank the chairman of the Oversight Sub- 
committee, Dr. Paul Broun, for his tireless efforts on this subject and many others 
before the Oversight Subcommittee. We appreciate his public service and dedication 
over his many years on the Science Committee. 

I look forward to today’s hearing. 

Chairman Broun. Thank you, Mr. Smith. As I announced ear- 
lier, Mr. Swalwell will be joining us in a bit, and he will give his 
opening statement at that time and then ask his questions in due 
order. If there are Members who wish to submit additional opening 
statements, your statements will be added to the record at this 
point. 

At this time, I would like to introduce today’s witness, Mr. Todd 
Park, the former Chief Technology Officer of the United States and 
Assistant to the President. Prior to this role, Mr. Park served as 
Chief Technology Officer for the U.S. Department of Health and 
Human Services, and before entering Federal service, Mr. Park co- 
founded Athenahealth and co-led its development into one of the 
most impressive health IT companies in the industry. 
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As our witness should know, spoken testimony is limited to five 
minutes after which the members of the Committee will have five 
minutes each to ask questions. And Mr. Park, it is the practice of 
this Subcommittee on Oversight to receive testimony under oath. 
If you now would please stand and raise your right hand? Do you 
solemnly swear and affirm to tell the whole truth and nothing but 
the truth, so help you God? 

Mr. Park. I do. 

Chairman Broun. Thank you. You may be seated. Let the record 
reflect that the witness answered in the affirmative and has taken 
the oath. 

I now recognize Mr. Park for five minutes to present your testi- 
mony, sir. 

TESTIMONY OF TODD PARK, 

FORMER CHIEF TECHNOLOGY OFFICER 
OF THE UNITED STATES, 

OFFICE OF SCIENCE AND TECHNOLOGY POLICY 

Mr. Park. Thank you, sir. 

Chairman Broun, thank you for your service. Chairman Smith, 
Ranking Member Swalwell, Ranking Member Johnson and Mem- 
bers of the Committee, good morning. I am looking forward to the 
opportunity to offer testimony to you today. 

To begin, I would like to provide some context for my time as 
U.S. Chief Technology Officer that will be helpful in addressing 
questions you have asked me to answer. 

I am a private-sector health IT entrepreneur by background and 
have been blessed with significant success in that arena. Only in 
America can the son of two brave immigrants from Korea have the 
kind of business-building experiences that I have been blessed to 
have. I love this country very much, and it has been the greatest 
honor of my life to serve it. 

In March 2012, after 2-1/2 years working at the U.S. Depart- 
ment of Health and Human Services, I joined the White House Of- 
fice of Science and Technology Policy as U.S. CTO. In this role, my 
primary job was to serve as a Technology Policy and Innovation 
Advisor across a broad portfolio of issues, working on open data 
policy and initiatives, wireless spectrum policy, how to advance a 
free and open Internet, how to harness the power of technological 
innovation to fight human trafficking and improve disaster re- 
sponse and recovery, and more. My role as U.S. CTO was not to 
oversee the internal Federal IT budget and operations. However, 
given my background at HHS and as a health IT entrepreneur, I 
was asked to provide assistance to CMS, which was the agency in 
charge of managing the development of the new HealthCare.gov in- 
cluding the Federally Facilitated Marketplace for Health Insur- 
ance. I provided assistance to CMS in a few different capacities. 

For example, I served as one of three co-chairs of an interagency 
steering committee organized by the Office of Management and 
Budget and which focused on providing a neutral venue in which 
agencies like CMS, IRS, SSA and others could work through inter- 
agency items, primarily in support of the Data Services Hub, which 
ended up going live quite successfully. I assisted with a Red Team 
exercise in early 2013 that helped identify actions to improve 
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project execution as well as some associated follow-on work that 
summer. From time to time I helped connect people to each other, 
served as a spokesperson of sorts, and provided help on particular 
questions. 

However, to properly calibrate your expectations of my knowl- 
edge of CMS’s initial development of the new HealthCare.gov and 
the Federally Facilitated Marketplace, I was not a project manager 
who was managing and executing the day-in and day-out oper- 
ational work of building the new HealthCare.gov and the Federally 
Facilitated Marketplace. This was the responsibility of CMS. I 
didn’t have the kind of comprehensive, deep, detailed knowledge of 
the effort that a hands-on project manager would have, and which 
I have had about other projects in my private-sector work. 

I assisted CMS with its work as an advisor while executing my 
overall duties as White House Technology Policy Innovation Advi- 
sor working on a broad range of policy issues as I described earlier. 

As the new HealthCare.gov and the Federally Facilitated Mar- 
ketplace rolled out in the fall of 2013, as the extent of operational 
issues with the site became clear, it became an all-hands-on-deck 
moment, and I along with others dropped everything else I was 
doing and increased my involvement in HealthCare.gov dramati- 
cally, shifting full time into the HealthCare.gov turnaround effort 
and working as part of a tech surge, which radically improved the 
performance of the site. I worked as part of a terrific team working 
around the clock, even sleeping on office floors. My particular focus 
was on helping to reduce the amount of time the site was down, 
improve the site’s speed, improve its ability to handle high user 
volume, and improve user-facing functionality. Our team effort 
drove massive improvement in the site, ultimately enabling mil- 
lions of Americans to sign up for health insurance through the site, 
many of whom had previously been uninsured. 

At the end of the day on April 15, 2014, the last day of extended 
special enrollment, I went back to my U.S. CTO day job of being 
Technology Policy and Innovation Advisor, and my involvement in 
HealthCare.gov accordingly scaled back dramatically. 

As another contextual note, I understand that the Committee’s 
primary interest has been the security of HealthCare.gov. I do not 
have the expertise in cybersecurity that the professors of 
cybersecurity and other experts who previously testified before this 
Committee have. Responsibility for the cybersecurity of 
HealthCare.gov rests with CMS. My involvement with the security 
of HealthCare.gov has been rather tangential. The interagency 
steering committee I co-chaired had a privacy and security sub- 
group but the subgroup was staffed and led by Agency personnel 
who occasionally asked the overall committee co-chairs to help fa- 
cilitate interagency dialog and cooperation but who generally drove 
to the ultimate answers themselves. There were a small number of 
other occasions when I was asked to serve as a spokesperson of 
sorts — summarizing general cybersecurity content supplied by CMS 
and HHS — to function as a liaison or facilitator connecting people 
to each other, or to provide my general thoughts for whatever they 
were worth. But, again, I am not a cybersecurity expert. 

As a final contextual note, at the end of August of this year, in 
order to stay married, I stepped down as U.S. CTO and returned 
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home to Silicon Valley, fulfilling my wife’s longstanding desire to 
do so. I continue to serve our country as a consultant to the White 
House based in Silicon Valley, focused primarily on attracting more 
and more of the best tech talent in the Nation to serve the Amer- 
ican people, which is important to our vital work as a government 
to radically improve how the government delivers digital services 
and unleashes the power of technology in general. 

Thank you for the opportunity to provide some context for my 
testimony today, and I look forward to answering your questions as 
best I can. 

[The prepared statement of Mr. Park follows:] 
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Chairman Broun, Chairman Smith, Ranking Member Maffei, Ranking 
Member Johnson, and Members of the Committee, good morning. I'm 
looking forward to the opportunity to offer testimony to you today. 


To begin, I would like to provide some context for my time as United 
States Chief Technology Officer (CTO) that will be helpful in addressing 
questions you've asked me to answer. 


I am a private-sector health IT entrepreneur by background, and have 
been blessed with significant success in that arena. Only in America can 
the son of two brave immigrants from Korea have the kind of business- 
building experiences that I have been blessed to have. 


In August 2009, I was asked to come serve our country, the country I 
love so very much, as the U.S. Department of Health and Human 
Service's (HHS) Chief Technology Officer (CTO) and "entrepreneur-in- 
residence." My role at HHS was to serve as a technology policy and 
innovation advisor. My principal focus there was on open data policy - 
making health care-related data and knowledge more open and 
accessible to help fuel innovation, entrepreneurship, and heafth care 
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improvement. As a special project, after the passage of the Affordable 
Care Act in March 2010, 1 was also asked to lead an early effort to 
develop a website in 90 days that provided basic information about the 
Affordable Care Act and health coverage options. This website was the 
first edition of HealthCare.gov, and was a purely informational site; it 
did not contain a transactional marketplace in which people applied for 
health insurance. This early website went live very successfully on July 
1, 2010. I should note that, subsequently, this website was essentially 
completely replaced in 2013 by the Centers for Medicare and Medicaid 
Services (CMS) with a new HealthCare.gov that incorporated the 
Federally Facilitated Health Insurance Marketplace. 


In March 2012, 1 joined the White House Office of Science and 
Technology Policy as U.S. CTO. In this role, my primary job was to serve 
as a technology policy and innovation advisor across a broad portfolio 
of issues, working on open data policy and initiatives, wireless spectrum 
policy, how to advance a free and open internet, how to harness the 
power of technological innovation to fight human trafficking and 
improve disaster response and recovery, and more. My role as U.S. 

CTO was not to oversee the internal Federal IT budget and operations. 
However, given my background at HHS and as a health IT entrepreneur, 
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I was asked to provide assistance to CMS, which was the agency in 
charge of managing the development of the new HealthCare.gov, 
including the Federally Facilitated Marketplace for health insurance. 


I provided assistance to CMS in a few different capacities. For example, 
I served as one of three co-chairs of an interagency steering committee, 
organized by the Office of Management and Budget (0MB) and which 
focused on providing a neutral venue in which agencies like CMS, IRS, 
SSA and others could work through interagency items - primarily in 
support of the data services hub, which ended up going live quite 
successfully. I assisted with a "red team" exercise in early 2013 that 
helped identify actions to improve project execution, as well as some 
associated follow-on work that summer. From time to time, I helped 
connect people to each other, served as a spokesperson of sorts, and 
provided help on particular questions. 


However, to properly calibrate your expectations of my knowledge of 
CMS's initial development of the new HealthCare.gov and Federally 
Facilitated Marketplace: I was not a project manager who was 
managing and executing the day-in and day-out operational work of 
building the new HealthCare.gov and the Federally Facilitated 
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Marketplace. This was the responsibility of CMS. I didn't have the kind 
of comprehensive, deep, detailed knowledge of the effort that a hands- 
on project manager would have, and which I have had about other 
projects in my private sector work, i assisted CMS with its work as an 
advisor, while executing my overall duties as White House technology 
policy and information advisor, working on a broad range of policy 
issues, as I described earlier. 


As the new HealthCare.gov and the Federally Facilitated Marketplace 
rolled out in the fall of 2013, as the extent of the operational issues 
with the site became clear, it became an all-hands on deck moment, 
and I, along with others, dropped everything else I was doing and 
increased my involvement in HealthCare.gov dramatically, shifting full- 
time into the HealthCare.gov turnaround effort, and working as part of 
the "tech surge" that radically improved the performance of the site. 

I worked as part of a terrific team, working around the clock, even 
sleeping on office floors. My particular focus was on helping to reduce 
the amount of time the site was down, improve the site's speed, 
improve its ability to handle high user volume, and improve user-facing 
functionality. Our team effort drove massive improvement in the site, 
ultimately enabling millions of Americans to successfully sign up for 
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health insurance through the site -- many of whom had previously been 
uninsured. 


At the end of the day on April 15, 2014, the last day of extended special 
enrollment, I went back to my U.S. CTO day job of being technology 
policy and innovation advisor, and my involvement in HealthCare.gov 
accordingly scaled back dramatically. 


As another contextual note, I understand that the committee's primary 
interest has been the security of HealthCare.gov. I do not have the 
expertise in cybersecurity that the professors of cybersecurity and 
other experts who previously testified before this Committee have. 
Responsibility for the cybersecurity of HealthCare.gov rests with CMS. 
As you know, each federal agency has responsibility for the security of 
its sites, as each agency is closest to the ground and the operations of 
its programs. My involvement with the security of HealthCare.gov has 
been rather tangential. The interagency steering committee I co- 
chaired had a privacy and security subgroup, but this subgroup was 
staffed and led by agency personnel, who occasionally asked the overall 
committee co-chairs to help facilitate interagency dialogue and 
cooperation, but who generally drove to the ultimate answers 
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themselves. There were a small number of other occasions when I was 
asked to serve as a spokesperson of sorts (summarizing general 
cybersecurity content supplied by CMS and HHS), to function as a 
liaison or facilitator connecting people to each other, or to provide my 
general thoughts for whatever they were worth. But, again, I am not a 
cybersecurity expert. 


As a final contextual note, at the end of August of this year, in order to 
stay married, I stepped down as U.S. CTO and returned home to Silicon 
Valley, fulfilling my wife's longstanding desire to do so. I continue to 
serve our country as a consultant to the White House based in Silicon 
Valley, focused primarily on attracting more and more of the best tech 
talent in the Nation to serve the American people - which is important 
to our vital work as a government to radically improve how the 
government delivers digital services and unleashes the power of 
technology in general. 


Thank you for the opportunity to provide some context for my 
testimony today, and I look forward to answering your questions as 
best I can. 
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Todd Park 

Todd Pari< is a consultant to the White House based In Silicon Valley, a role in which he has served since the end of 
August, 2014. Park’s focus is on recruiting more top tech talent like Mikev Dickerson into government and identifying 
innovative ways to improve the quality of government digital services, two central goals of the President’s S marter IT 
Delivery agenda . He is also helping to ensure that the Administration has an on-the^round sense of how technology 
is evolving and can craft policy and initiatives accordingly. 

Prior to this role, Todd Park served as the U.S. Chief Technology Officer (CTO) in the White House Office of Science 
and Technology Policy from 2012-2014. In this role, he served as an Assistant to the President. As U.S, CTO. Park 
focused on how technology policy and innovation can advance the future of our nation. 

Park joined the Administration in August 2009 as Chief Technology Officer of the U.S. Department of Health and 
Human Services (HHS). In this role, he served as a change agent and “entrepreneur-in-residence," helping HHS 
harness the power of data, technology, and innovation to improve the health of the nation. Prior to joining HHS. Mr. 
Park co-founded Athenahealth and co-fed its development into one of the most innovative health IT companies in the 
industry. He also co-founded Castllght Health, a web-based health care shopping service for consumers. 

Park also served in a volunteer capacity as a Senior Fellow at the Center for American Progress, where he focused 
on health IT and health reform policy, and as senior health care advisor to Ashoka, a leading global incubator of 
social entrepreneurs, where he helped start Healthpoint Services, a venture to bring affordable telehealth, drugs, 
diagnostics, and clean water to rural India. Mr. Park graduated magna cum laude and Phi Beta Kappa from Harvard 
College with an A.B. in economics. 
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Chairman Broun. Thank you, Mr. Park, for your testimony. Re- 
minding members that Committee rules limit questioning to five 
minutes, the Chair at this point will open the round of questions. 
The Chairman recognizes himself for five minutes. 

Mr. Park, let us clarify something. You claim in your opening 
statement today that you did not have, to quote you, “comprehen- 
sive, deep, detailed knowledge” of development, testing and 
cybersecurity of HealthCare.gov website and that you “assisted 
CMS with its work as an advisor.” Yet if you refer to tab 8 in your 
binder there, you can read along from the highlighted sections of 
one of your subpoenaed emails dated June 26, 2013, sent to 
Marilyn Tavener, Michele Snyder and Henry Chao about “a deep- 
dive session with Henry Chao.” Specifically, you wrote, “Marilyn, 
I’m also going to visit with Henry and team for one of our evening 
deep-dive sessions to get up to speed on the latest status of IT and 
testing. There’s no substitute for an evening deep dive. So I’ll bring 
healthy food and snacks to Baltimore and camp out with Henry 
and team for a few hours.” 

Mr. Park, please explain to me how you define “deep, detailed 
knowledge” and then contrast that with a deep-dive experience 
with Mr. Chao and that lasts for several hours. 

Mr. Park. Sir, I would be delighted to. So in my private-sector 
experience, when you have really deep, detailed, comprehensive 
knowledge of a project, that comes from being the project manager. 
That comes from being the person who is in charge of running 
things, you know what is going on, you know each axis of what is 
going on on an ongoing basis, and that is the role I served in my 
private-sector life on a variety of projects but that was not the role 
I was serving on the Federally Facilitated Marketplace. That was 
CMS’s responsibility. 

What is happening here is that on a few occasions, I spent time 
with the folks who were actually running the project and asked a 
series of questions and got information but that level of knowledge 
pales in comparison to the really deep, detailed, comprehensive 
knowledge that you would have as the project manager running the 
thing on an ongoing basis. 

Chairman Broun. So you had some supervisory function there. 

Mr. Park, do you agree with Health Secretary Kathleen Sebelius’ 
assessment that the rollout of the website was “a debacle”? 

Mr. Park. The rollout was unacceptable, sir. 

Chairman Broun. Mr. Park, you acknowledge in your opening 
statement that you were one of three White House co-chairmen of 
the Affordable Care Act Information Technology Exchanges Steer- 
ing Committee, and that at least initially met on a monthly basis. 
What was your role in these meetings? Would you say that you 
were the leader of this White House trio? 

Mr. Park. I would say that I was one of the three co-chairs. It 
was actually principally led and organized by the Office of Manage- 
ment and Budget, and the role of the committee was to focus on 
providing a neutral venue where agencies could come together and 
work on really interagency issues, primarily in support of the Data 
Services Hub. 

Chairman Broun. Well, on April 11, 2013, in an email sent at 
2:31 p.m. — that is in tab 1 
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Mr. Park. Thank you, sir. 

Chairman Broun. — of your binder, with the subject “Coordina- 
tion on ACA,” one of the co-chairs, Mr. Steven VanRoekel, then 
U.S. Chief Information Officer, expressed his concerns about your 
closeness to the Centers for Medicare and Medicaid Services by 
writing this: “CMS has not been inclusive and is not leading a co- 
ordinated effort that will lead to success. I am also worried that 
you are getting a too-CMS-centric picture. I would love nothing 
more than this not to be the case, to be assured ACA implementa- 
tion is on a path we want to be on, and that existing efforts will 
deliver what we want.” 

Your response to him sent the same day at 4:58 p.m. states, 
“Hey, brother. Thanks so much for the note and the chat! Many 
apologies for not staying in tighter sync with you on this. Will 
make sure we stay in close sync going forward.” 

To be clear, this is the same CMS that the Office of Science and 
Technology Policy has told the Committee in various letters is in 
a “far better position to discuss the standards that are in place for 
the website.” 

You did not deny this closeness to Mr. VanRoekel, and indeed, 
your closeness to individuals such as Henry Chao, Chief Informa- 
tion Officer at CMS, and Michele Snyder, then Chief Operating Of- 
ficer at CMS and the number two official, is evident in the many 
emails we have seen of your conversations with them. 

If you were not the leader, then why was Mr. VanRoekel looking 
toward you for guidance? And if you were so close to CMS that it 
concerned your co-chair, then surely you are in just fine a position 
to answer our questions about the website and should have done 
so a year ago? 

Mr. Park. So thank you for the opportunity to discuss this par- 
ticular email. As I recall, I think this was precipitated by the fact 
that I had assisted, as I said in my opening testimony, the Red 
Team exercise CMS had engaged in to basically assess risks and 
identify mitigative actions to mitigate those risks in early 2013. 
Steve was actually not involved with that, and he was expressing 
concern about the fact that he wasn’t synced up and was worried 
about a variety of different things. 

What I can say, as actually the email says, is that we did sync 
up. We were going to, and then I can report that we did sync up 
on the Red Team results and recommendations and the path for- 
ward on the steering committee and other items and his concerns 
basically were dealt with in a way that was satisfactory to him. 

Chairman Broun. My time is expired. I now recognize Ms. John- 
son for five minutes. 

Ms. Johnson. Thank you very much, Mr. Chairman. 

Mr. Park, Mr. Broun summarized your explanation regarding 
deep dives by saying you had some supervisory responsibilities. Did 
you indeed have supervisory responsibilities? 

Mr. Park. I would not define it that way. I was an advisor assist- 
ing CMS, but CMS was responsible for delivering the Federally Fa- 
cilitated Marketplace and the new HealthCare.gov. 

Ms. Johnson. How would you describee your work on 
HealthCare.gov during your tenure there as CTO? 
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Mr. Park. Yes. So we are talking about the new HealthCare.gov, 
the Federally Facilitated Marketplace. I will again describe it as I 
referred to in my opening testimony. I assisted CMS in a few dif- 
ferent capacities, serving as a co-chair of this interagency steering 
committee, focused on providing a venue for agencies to work to- 
gether on interagency issues in support of the hub, assisting with 
the Red Team exercise and follow-up to the Red Team exercise that 
summer, serving from time to time as a spokesperson, as a liaison, 
as someone who could help with particular questions. I began as 
an assistant, as an advisor to CMS and certainly not as the person 
who was the hands-on project manager running the thing. I was 
doing this assistance work as I was fulfilling my much broader 
portfolio of duties as Technology Policy and Innovation Advisor at 
the White House. 

Ms. Johnson. Could you give me a little idea as to what that 
broader responsibility for being the Chief Technology Officer over 
and above or around or in conjunction with, in whatever you want 
to put it, for the dot.gov program for the health care? 

Mr. Park. Yes, ma’am. So as U.S. CTO, my job was to be a tech- 
nology policy and innovation advisor at the ^^ite House focused on 
how can technological innovation help build a brighter future, cre- 
ate a brighter future for the country and for the American people. 
So there was a wide range of initiatives that I worked on and 
championed, so you mentioned one in your opening statement, you 
mentioned a few, but the open data policy, open data initiatives 
work of the Administration, which really focused on opening up the 
information and knowledge in the vaults of the federal government 
such as weather data, health data, energy data, public safety data, 
et cetera, as machine-readable fuel that taxpayers had paid for and 
returning it back to the American people and American entre- 
preneurs and American innovators and researchers to turn into all 
kinds of incredible new products, services and companies that help 
people and that create jobs. 

I also was one of the creators and leaders of the Presidential In- 
novation Fellows program, which was an effort to bring in the most 
amazing technologists and tech entrepreneurs from outside govern- 
ment and team them up with the best people inside government to 
work on projects like Blue Button, which has enabled well over 100 
million Americans to be able to download copies of their own health 
information. I did a whole bunch of work in figuring out how we 
could tap into the ingenuity of the private sector to help use the 
power of technology to fight the evil of human trafficking, to help 
improve disaster recovery and response, and other key priorities. I 
worked on policy issues like how do you advance a free and open 
Internet, how do you actually massively improve the supply of and 
utilization of wireless spectrum, and more. It is the most amazing 
experience I have ever had. 

Ms. Johnson. It appears to me that though you were a person 
that could be asked a question or included in a loop that your re- 
sponsibilities were really very broad and really had no key respon- 
sibility toward the HealthCare.gov. 

Mr. Park. So there was a chunk of my time that I reserved for 
basically being helpful, being an advisor on issues that came up be- 
yond the initiatives that I was championing or co-championing. 
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That is the bucket in which I put being helpful to CMS on 
HealthCare.gov, which I did try to do in the capacities that I de- 
scribed. 

Ms. Johnson. Thank you very much. I yield back, Mr. Chairman. 

Chairman Broun. Thank you, Ms. Johnson. Now I recognize the 
full Committee chairman, Mr. Smith, for five minutes. 

Chairman Smith. Thank you, Mr. Chairman. 

Mr. Park, thank you for being here today. 

Mr. Park. Thank you, sir. 

Chairman Smith. As I understand it, you were briefed and given 
notice on several occasions that there were problems with the 
Obamacare website. So my question is, did you believe that the 
website was secure when it was first made operational? 

Mr. Park. So I think over the course of any large-scale digital 
project, there are issues and challenges that come up, so 

Chairman Smith. Did you think the website was secure before it 
was operational? 

Mr. Park. I did, sir, to the best of my understanding. 

Chairman Smith. Despite the warnings you got, despite the 
briefings you had pointing out the problems, you still thought it 
was secure? 

Mr. Park. My understanding was that it was. 

Chairman Smith. What did you think yourself? 

Mr. Park. Again, I am not an expert. 

Chairman Smith. Did you discount the briefings and the notice 
that you had gotten? 

Mr. Park. So which briefings and notices are you referring to, 
sir? 

Chairman Smith. Well, there was a Red Team, there were 
emails, and then other indications that you knew that there were 
problems. 

Mr. Park. So the Red Team exercise didn’t really focus on secu- 
rity. The Red Team focused on how the project was being run. 

Chairman Smith. The Mackenzie report is what I am talking 
about that pointed out the problems. 

Mr. Park. Yes, I am referring to the same report, sir. So it didn’t 
really focused on security, it focus on how the project was operating 
and running generally. 

Chairman Smith. But they still pointed out problems, and you 
still decided that they were not significant enough, I guess, to put 
you on notice that it shouldn’t be operational? 

Mr. Park. So the Mackenzie report again addressed the general 
management of the project and talked about 

Chairman Smith. Again, they pointed out the problems but you 
discounted the problems? 

Mr. Park. Each of the issues, the risks, was tied to an action to 
mitigate that risk and deal with that risk. 

Chairman Smith. So you think all the risks were addressed be- 
fore the website was made operational? 

Mr. Park. I think that the risks identified by the Red Team re- 
port, my understanding is that they were addressed. 

Chairman Smith. Well, that is amazing because both then and 
more recently, all the various studies that were conducted, not a 
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one found that the website was secure, not a one found that the 
website was without risk. 

More recently, the U.S. Government Accountability Office found 
“HealthCare.gov had weaknesses when it was first deployed includ- 
ing incomplete security plans and privacy documentation, incom- 
plete security tests, and the lack of an alternative processing site 
to avoid major service disruptions.” This report also finds “weak- 
nesses remain both in the processes used for managing information 
security and privacy and so forth.” 

So you have these outside studies saying that it was not secure 
at the beginning and it remains insecure. Do you think the website 
is secure today despite all these warnings by independent, objective 
entities? 

Mr. Park. So CMS is the best source of information about the 
detailed security 

Chairman Smith. Do you discount the Government Account- 
ability Office’s review? The language I just read to you are direct 
quotes from the GAO. 

Mr. Park. So sir, I am not an expert in this arena. I don’t want 
to comment on something 

Chairman Smith. You said repeatedly that you were an advisor. 
As an advisor, do you advise people that the website is secure 
today? 

Mr. Park. That is not the area where I really concentrated my 
advisory work. 

Chairman Smith. Well, knowing what you know now, do you con- 
sider the website to be secure today? 

Mr. Park. So based on my understanding, I would use it. I would 
have family 

Chairman Smith. No, no, I didn’t ask you whether you would use 
it. That is easy for you to say yes. Do you think the website is se- 
cure today? 

Mr. Park. My understanding is 

Chairman Smith. Would you advise the American people that 
the website is secure today? 

Mr. Park. My understanding is that it is, but again, I would say 
that the best 

Chairman Smith. Despite the GAO, despite all these studies, de- 
spite all these reports saying it is not, you still think it is? 

Mr. Park. The best source of information about that is CMS, and 
they have a dedicated team 

Chairman Smith. Well, they are obviously biased. They have got 
an in-house conflict of interest to say anything else. Do you dis- 
count all these third-party entities, these credible organizations 
saying that it is insecure? Do you disagree with them? 

Mr. Park. Sir, again, I would just refer you to CMS for 

Chairman Smith. Like I said, you are asking the people that de- 
veloped the plan whether it is secure. What else are they going to 
say? I was asking you as an advisor whether you thought these 
independent entities’ reports were accurate or not. 

Mr. Park. I can’t say that I have actually gone through 

Chairman Smith. Okay. My last question is this. Did you advise 
the White House at any point or meet with the White House or 
brief the White House about Obamacare’s roll-out? 
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Mr. Park. Sir, can you repeat the question? 

Chairman Smith. Did you at any point brief the president or the 
White House about the Obamacare website before it went oper- 
ational? 

Mr. Park. So as I can recall 

Chairman Smith. And definitely how many times if you did. 

Mr. Park. As I can recall, I gave a briefing to senior White 
House officials about the results of the Red Team review and 

Chairman Smith. How many times did you brief White House 
personnel? 

Mr. Park. So if you were talking about senior White House advi- 
sors — 

Chairman Smith. How many times roughly? 

Mr. Park. I can recall two. 

Chairman Smith. And during either of those times, if two or 
more times, did you ever say anything to them about the problems 
that were inherent in the system or about any of the warnings that 
you had received? 

Mr. Park. So in both the Red Team briefing from early 2013 and 
then the follow-on in July 

Chairman Smith. Well, again, my question was fairly specific. 
Did you alert the White House staff to any problems with the 
website? 

Mr. Park. So we were very clear, yes, about the risks identified 
by the 

Chairman Smith. You did make it clear to the White House that 
there were risks? 

Mr. Park. That there were risks and here are the actions to miti- 
gate those risks. 

Chairman Smith. But the actions had not been taken yet or that 
they had been taken yet? 

Mr. Park. Well, the actions at the time we identified the Red 
Team risks, we presented both the risks and the actions, and then 
in July we said that the actions had been taken. 

Chairman Smith. Okay. So you notified the White House of the 
risk and then you came back later and said that you had limited 
those risks even despite outside entities saying that there were still 
problems? 

Mr. Park. So this was specifically on how the project was being 
run, so — and again, just to be super clear, I briefed on the Mac- 
kenzie work to senior White House officials that there were risks 
that needed to be dealt with, and then there were actions that were 
needing to be taken to mitigate those risks. 

Chairman Smith. Okay. Thank you. 

Mr. Park. — and then 

Chairman Smith. That answered my question. Thank you, Mr. 
Park. 

Thank you, Mr. Chairman. 

Chairman Broun. Thank you. Chairman Smith. I now recognize 
Mr. Peters for five minutes. 

Mr. Peters. Thank you, Mr. Chairman, and thank you for your 
service on the Committee. It has been a pleasure to serve with you 
and I wish you the best going forward. Thank you. 
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There has been some suggestion and some discussion on the se- 
curity of HealthCare.gov in reference to a hack over the summer, 
and it is not necessarily true that that means that the site is inse- 
cure. HHS worked with the Department of Homeland Security to 
analyze the effects of the package found on the site, and according 
to the Director for U.S. Computer Emergency Readiness at DHS, 
this type of malware is not designed to extract information. There 
is no indication that any data was compromised as a result of the 
intrusion. 

I would like, Mr. Chairman, unanimous consent to enter into the 
record a letter from Ms. Tavener to Congressman Issa of November 
14, 2014, in which Ms. Tavener states that no one has maliciously 
accessed personally identifiable information from HealthCare.gov. 

Chairman Broun. Hearing no objection, so ordered. 

[The information appears in Appendix II] 

Mr. Peters. Thank you. 

Thank you, Mr. Park, for being here. In your testimony, you 
mentioned that you were not the project manager of 
HealthCare.gov but you functioned as the project manager for 
other projects when you were in the private sector. Is that correct? 

Mr. Park. Yes, sir. 

Mr. Peters. Since my colleagues have suggested that you were 
the project manager of HealthCare.gov or functioned as such, I 
thought it would be helpful to discuss the kinds of activities that 
a project manager does. And you founded Athenahealth with Jona- 
than Bush, incidentally, the cousin of former President George 
Bush, is that correct? 

Mr. Park. Yes, sir, my best friend. 

Mr. Peters. Athenahealth provides healthcare practices with 
services including cloud-based medical billing and electronic med- 
ical record services, which aims to make healthcare more efficient 
and effective, correct? 

Mr. Park. Yes, sir. 

Mr. Peters. Since you built the company, can you describe what 
was involved in creating the company from the ground up? What 
tasks were involved with developing a new IT company? 

Mr. Park. Thank you, sir. 

So as I think others who have had similar experiences would 
share, you know, it is a big, complex undertaking. You put together 
the best team that you can. You raise initial money. You put to- 
gether the best plan you can but understand that that plan is like- 
ly to survive about 17 seconds of contact with reality. You put to- 
gether an initial prototype as fast as you can of your product to try 
to figure out, you know, based on actual customers using it, what 
the real issues are and real opportunities are and then you iterate 
the plan, you iterate the product, you iterate execution constantly, 
right 

Mr. Peters. Right. 

Mr. Park. — and it is an all-consuming thing and you have in 
your head each key axis of effort, how conditions are changing, how 
plan, product execution are changing constantly 

Mr. Peters. Is it fair then 

Mr. Park. — and balance all of that together. 



32 


Mr. Peters. Is it fair then to say when you are on the project 
management, you are very hands-on? At athena you had a com- 
prehensive, deep understanding of the efforts, very detailed knowl- 
edge of the projects and products based on your day-to-day engage- 
ment? 

Mr. Park. Absolutely. 

Mr. Peters. Okay. So what is the difference between that role 
at Athenahealth and the role you played with respect to the 
healthcare marketplace as CTO and the government? 

Mr. Park. It is night and day, sir, as I think anyone who has 
built a company or led a large initiative would tell you. I again did 
advise and assist CMS in a few different capacities, as I described 
in my testimony and earlier — in testimony and earlier. 

The — ^but again, it is just — it is very different from being the 
project leader, the project manager, actually running the day-to- 
day and having the kind of comprehensive, detailed, multi-axis 
knowledge that you have in that context. 

Mr. Peters. In one of the emails that the Committee has pro- 
vided, you describe yourself as a consigliore. Is that kind of what 
you mean, as an advisor? 

Mr. Park. As an advisor, yeah. 

Mr. Peters. Okay. I want to — I do think that — it strikes me that 
the role of project manager is fairly well-defined as being different 
from what you were doing. I think that is pretty clear. 

I just offer, too, that one of the mistakes we make here in Con- 
gress is pulling people out of the bureaucracy and beating them up 
when we are all really trying to get the same place. We would like 
to get our government to be functioning — a healthcare website that 
is functioning. And I am — I would just observe that I have seen 
this in the Armed Services Committee, too. We are trying to get the 
best technology people we can to come work for the government, 
and in the federal — in the defense side we have a great need for 
cyber warriors and we have to be very sensitive about how we treat 
people like you and like those folks who can be in the private sector 
making much more money but who are willing to give up their 
time, to delay their careers, to step out of them and to help the 
government. 

And I want to thank you for your service. I want you to know 
that I appreciate it and I hope you are able to help continue to re- 
cruit the very, very best to come help us in this effort and other 
efforts throughout the government. 

Thank you, Mr. Chairman, and I yield back. 

Mr. Park. Thank you, sir. 

Chairman Broun. Thank you, Mr. Peters. 

Now, I recognize Mr. Sensenbrenner for five minutes. 

Mr. Sensenbrenner. Thank you very much, Mr. Chairman. 

Mr. Park, when you testified before the Committee on Oversight 
and Government Reform, you repeatedly claimed ignorance about 
any issues with HealthCare.gov prior to the website’s launch. You 
testified that you had “no detailed knowledge base of what actually 
happened pre-October 1.” You further testified that you were not 
deeply familiar with the development and testing regimen that 
happened prior to October 1.” 
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But the email record tells a very different story. On June 11, you 
emailed staff at CMS asking to “check in on how things are going 
with respect to Marketplace IT development and testing.” On June 
26, you said you would visit Henry Chao of CMS and his team for 
“one of our evening deep-dive sessions,” and on July 12, Henry 
Chao referenced a briefing that you were doing for the President. 
If you were preparing to brief the President and doing deep-dives 
with CMS staff in June and July 2013, how can you claim to have 
no knowledge of issues prior to October 1 of that year? 

Mr. Park. So thank you for the opportunity to answer your ques- 
tion. 

So what I said at the hearing last November was I didn’t have 
really detailed knowledge — a really detailed knowledge base, if I re- 
call correctly, of what actually happened in the run-up to October 
1. And as I have described previously, when I say “really detailed 
knowledge base of what actually happened,” that is the kind of 
knowledge that comes from being the hands-on project manager 
running the thing and not the kind of knowledge that one would 
have as an assistant advisor who, on a series of occasions, meets 
with the people who are running the thing and asks questions. So 
that is what I would say. 

Mr. Sensenbrenner. Well, obviously on the June 11 email, 
where you said you were going to check in on how things were 
going with respect to marketplace IT development and testing, you 
just didn’t ask that question out of the blue. Obviously, you decided 
to try to check up on this. And then I don’t know what goes on at 
deep-dive briefings. I imagine that there is quite a bit of detail that 
goes on. But I guess it kind of boggles my mind that if you didn’t 
know the detail of that, why were you asked to go and brief the 
President? Wasn’t he interested in really the detail of what was 
going on, not just whether it was going well or not? 

Mr. Park. Could you just refer me again to the email you are 
talking about? 

Mr. Sensenbrenner. Okay. I referred to two emails. You 
emailed the staff at CMS to check in on how things were going 
with respect to marketplace IT development and testing, and then 
on June 26, two weeks and a day later, you said you would visit 
Henry Chao and his team for an evening deep-dive session. 

Mr. Park. Could you just refer me — I am so sorry — for the tabs 
in the binder? 

Mr. Sensenbrenner. I don’t know if you have the same binder 
I have. 

Mr. Park. I see. 

Mr. Sensenbrenner. This is the tab on the deep-dive session, 
number 8. 

Mr. Park. Okay. So, again, just speaking to this session, the dif- 
ference between the really detailed knowledge base that you have 
as a hands-on project manager and the knowledge that you have 
from asking people on the project a set of questions over the course 
of a few hours is, again, just night and day. 

And also I think to address something you asked earlier, the — 
as I recall, the trigger event for the check-in that you described 
was to follow up on the Red Team recommendations with respect 
to how the project should be managed and make sure those rec- 



34 


ommendation had been implemented by CMS. And so that was the 
trigger event for the inquiry. 

Mr. Sensenbrenner. Well, you denied involvement in your testi- 
mony before the OGR Committee, but obviously you were involved 
because you asked how things were going, then you asked for a 
deep-dive briefing and you came in to brief the President on this. 
It seems a complete disconnect between you claiming ignorance 
and the information you did get filled you in and you certainly 
weren’t ignorant. How can you say that when you came in to brief 
the President, you briefed him from a base of ignorance? 

Mr. Park. So, again, just to respectfully disagree with something 
you said earlier, I don’t believe I have said 

Mr. Sensenbrenner. Um-hum. 

Mr. Park. — to the Committee last November that I had no in- 
volvement whatsoever. What I said was I didn’t have a really de- 
tailed knowledge base of what actually happened in response to a 
question about something or other. So — ^but, again, the point I 
wanted to make was that I didn’t have that level of really detailed 
knowledge. I did have the kind of involvement that I described in 
my testimony earlier. 

Mr. Sensenbrenner. Well, my last question is what did you tell 
the President about HealthCare.gov when you briefed him? 

Mr. Park. So at the Red Team briefing in early 2013 and then 
in the follow-up, as I recall, the gist was here are the Red Team 
recommendations in terms of the risks identified and what to do 
about them, and then in the follow-up in the summer, as I can re- 
call, the briefing again to senior White House officials was that 
CMS implemented the key Red Team recommendations. 

Mr. Sensenbrenner. Did you brief the President or senior White 
House officials or was somebody other than the President there? 

Mr. Park. At those two meetings, as I recall, the President was 
there. 

Mr. Sensenbrenner. Thank you. 

Chairman Broun. Thank you, Mr. Sensenbrenner. 

I now recognize Mr. Cramer for five minutes. 

Mr. Cramer. Thank you, Mr. Chairman, and thank you, Mr. 
Park. 

Mr. Park, I want you to look at tab 5 in the binder if you would, 
please. 

Mr. Park. Thank you, sir. 

Mr. Cramer. Um-hum. So this is an email that has become a lit- 
tle bit famous today. It is an email from Michelle Snyder to you 
dated September 29, 2013, posted at 6:22 p.m. In this email, which, 
by the way, ends by her asking you to delete it, she writes, “just 
so you know, she decided in January we are going no matter what, 
hence the really cruel and uncaring march that has occurred since 
January when she threatened me with a demotion or forced retire- 
ment if I didn’t take this on. Do you really think she has enough 
understanding of the risks to fight for a delay? No, and hell no. For 
just one moment let’s be honest with each other.” 

Now, Mr. Park, it is a reasonable inference that the “she” in the 
email is Marilyn Tavenner because Ms. Snyder is responding to an 
email from you to her that same day at 5:54 p.m. that says “MT 
said that she appreciates the additional info we will generate to- 
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night, but that she and she alone will make the decision to go or 
not.” 

Mr. Park, what were these risks that Ms. Snyder referenced in 
her email that she asked you to delete? 

Mr. Park. So at the time what I recall I was doing was helping 
CMS basically get hardware — additional hardware in place to pro- 
vide additional server capacity for the federally facilitated market- 
place, and that was the issue that we were talking about. 

Mr. Cramer. So the risk was there wasn’t enough hardware? In 
other words, you testified that you thought everything was ready 
to go, that you were confident. This is September 29 . I mean the 
risk was hardware? 

Mr. Park. So the risks I think that are being referred to in this 
email is that based on what we had been talking about where I had 
been asked to be helpful, and the hardware did actually get to 
where it needed to go in an operation that worked pretty well. 

Mr. Cramer. In this same email chain, about three hours earlier, 
she asked you this question — which is, by the way, located in tab 
6. 

Mr. Park. Oh, thank you, sir. 

Mr. Cramer. Sure. She asked a series of questions, but one of 
them is “should we go live on October 1?” Now, again, I remind you 
this is September 29 so she is asking pretty close should we be 
going live on October 1? 

Mr. Park. I am sorry, who — what — could you just say that one 
more time? So who is asking who? 

Mr. Cramer. So in — it is the same email chain you asked Ms. — 
I am sorry, you asked Ms. Snyder a series of questions, one of 
which is should we go live on October 1. So when you asked her 
that question, obviously you had some concern it would seem to me 
earlier that day about whether they should even go live. 

Mr. Park. So, again, as I recall as I am looking at the email, I 
was suggesting a set of questions for her to think about as an advi- 
sor, and again, this was really again focused on the task of getting 
the hardware in place 

Mr. Cramer. Did you ask the same question of anyone else? 
Whether it was Henry Chao or maybe somebody in the White 
House, Marilyn Tavenner, or was this just between you and Ms. 
Snyder? Did you raise this question with other people that might 
be in a position to do something more about it? 

Mr. Park. So I think Michelle was actually, as I recall, pretty 
central to us, and so I was injecting this set of questions as ques- 
tions I thought that would be good for CMS to think through in the 
run-up. 

Mr. Cramer. Some of these risks that Ms. Snyder was raising, 
did you ever share them? Because clearly there is this confidence, 
it appears, between you and her. She references in other parts of 
the rant probably or possibly losing her job if she raises these risks 
with the wrong people. In fact, she did, of course, announce her 
resignation not too long after all of this. 

What I am trying to get at is that as an advisor, was your advice 
only given to this one person or to others higher up the chain? I 
mean considering that earlier you testified that you did of course 
brief the President himself Was there other concern raised by 
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other people to these risks that seem to be so central between you 
and Ms. Snyder? 

Mr. Park. So with respect to what we are talking about here, 
which, as I recall, are risks associated with not having enough 
server capacity the CMS senior management team. Office of Health 
Reform at the White House were following what was happening 
very closely. 

Mr. Cramer. And that gave you all the confidence in the world, 
that extra server space? That was all that was necessary 

Mr. Park. Well, the specific question that I got asked to be help- 
ful on was getting hardware to the data center for additional server 
capacity, and that operation did end up being successful as I recall. 

Mr. Cramer. All right. My time is expired, Mr. Chairman. Thank 
you. 

Chairman Broun. Thank you, Mr. Cramer. 

Now, I recognize Mr. Posey for five minutes. 

Mr. Posey. Thank you, Mr. Chairman. 

Mr. Park, in an email chain with the subject heading “How seri- 
ous are you about using Homestead Air Force Base to get the 
equipment to Culpepper,” this is dated September 28, 2013. It is 
located in your tab 12. 

Mr. Park. Thank you, sir. 

Mr. Posey. You and Mr. Henry Chao worked with Mrs. Laura 
Fasching from Verizon Terremark to discuss several last-minute 
options to transport some hardware or computer equipment by ei- 
ther private ground, private jet, cargo, or even Air Force jets. 

For someone claiming to not have a detailed knowledge base of 
what actually happened pre-October 1, you seem to be all-in on a 
lot of aspects of operations related to the HealthCare.gov website. 
So, I am wondering whose idea it was to procure the equipment, 
and what the need was for spending $40,000 of taxpayers’ money 
to transport computer equipment by plane? 

Mr. Park. So, first of all, thank you for the question. Just to clar- 
ify, when I say really detailed knowledge base of what actually 
happened prior to October 1, I am not talking about like one nar- 
row aspect of what happened; I am talking about the full breadth 
of what happened over the course of the project. And as I have 
said, I did assist and advise CMS in a few different capacities. This 
was one where what happened is CMS contacted me, as I can re- 
call, and said we think we have, long story short, a need for addi- 
tional hardware to get to the data center, and they were the ones 
who teed up the notion of potentially a military option. And I vol- 
unteered to help look into that for them. 

Mr. Posey. Okay. Is it routine for a White House official, or actu- 
ally, an assistant to the President, as you were at the time, to be 
engaged in last-minute discussions with a contractor about the de- 
livery of computer equipment? Why and how did you get involved 
in that? 

Mr. Park. So my style is to try to help in every way I possibly 
can, and so I got asked to help with this and I threw myself into 
trying to help. And although the military option ended up not being 
used; it didn’t have to be used; there was private transport, the op- 
eration to get hardware there worked out. 

Mr. Posey. It sounds like a pretty detailed knowledge base. 
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Mr. Park. Not of the whole project and how it was working. This 
is one very specific, very narrow aspect and one episode in time. 

Mr. Posey. You also appear to be the point of contact for most 
interactions with technology companies and people such as 
Palantir, Red Hat, Alex Karp, MITRE, and even Gartner, a com- 
pany used to help with the Administration’s messaging on 
HealthCare.gov around the time of a Committee on Homeland Se- 
curity hearing on September 11, 2013. In fact, a Gartner analyst 
provided a quote that the statements made in a CMS letter to the 
Ranking Member of Homeland Security Committee “represent cur- 
rent best practices for the protection of sensitive and regulated 
data and systems.” That is in tab 14. 

Mr. Park. Oh, thank you, sir. 

Mr. Posey. I am wondering how often did you reach out to such 
companies or people to talk about aspects of the HealthCare.gov 
website for either PR purposes or technical purposes? 

Mr. Park. Not that often, as I can recall. But on the several occa- 
sions, yes. 

Mr. Posey. And what others do you recall? 

Mr. Park. Well, so you mentioned this one. I can speak to Red 
Hat. So what happened there was that CMS asked me to be on the 
phone with them as they asked for additional Red Hat resources 
to be applied and just to communicate that this was a top priority 
of the government, which I volunteered to do. 

I can talk to the Palantir example. So they are — ^you know, as 
part of my role as a facilitator, I connected Palantir to CMS to have 
a discussion at a high level about cybersecurity. 

Mr. Posey. That is a little bit beyond the scope of advisory, 
though, wouldn’t you think? 

Mr. Park. Not in my experience, no. 

Mr. Posey. Okay. Arranging contractors to get together and 

Mr. Park. No, we actually — it is assisting, as I have said, in a 
few different capacities. 

Mr. Posey, ^^at did they have to say about the website? Did 
they ever provide feedback to you on the security aspects of the 
website? 

Mr. Park. So as I can recall, the Palantir conversation, I think 
the experts said here is what you should be thinking about, and 
CMS said that basically accords with what we are thinking about. 
So that was what I recall of the call. 

Mr. Posey. And that is the only time you are aware of any secu- 
rity issue at all? 

Mr. Park. Again, and that call basically it was a very high-level 
call and Palantir said just kind of not with any particular knowl- 
edge of HealthCare.gov but here are the kind of things that rep- 
resent cybersecurity best practices and CMS said, yes, that makes 
sense; that is what we are thinking, too. 

Mr. Posey. Yeah. You had mentioned that you would use the 
website. Just out of curiosity, are you enrolled in ObamaCare? 

Mr. Park. I am not but I continue to get my insurance through 
the Federal Government. But my tour of duty in government, 
which has been the greatest experience of my life, will at some 
point end and then I am very excited about enrolling in Covered 



38 


California, which is the marketplace in California, when I do roll 
off. 

Mr. Posey. Yeah. The people who wrote the hill aren’t in it ei- 
ther so don’t feel had about that. 

My time is expired, Mr. Chairman. Thank you. 

Chairman Broun. Thank you, Mr. Posey. 

Now, Mr. Johnson from Ohio, you are recognized for five min- 
utes. 

Mr. Johnson. Thank you, Mr. Chairman. 

Good morning, Mr. Park. 

Mr. Park. Good morning, sir. 

Mr. Johnson. You and I share something in common. My back- 
ground is thirty years in information technology. I have never been 
a Chief Technical Officer, but I have certainly been a Program 
Manager, Project Manager, Chief Information Officer, and even 
had Chief Technical Officers work for me. 

Mr. Park. God bless you. 

Mr. Johnson. Yeah. So I certainly understand from where you 
come. And I must confess to you, Mr. Park, that I find it a little 
bit disingenuous that you would qualify or classify your role in all 
of this as simply an advisor. 

In 2008, when the President issued a position paper on the use 
of technology in innovation, he talked about standing up the Na- 
tion’s first Chief Technology Officer. And to quote from what came 
directly from at that time the campaign website it said that “the 
CTO will ensure the safety of our networks and will lead an inter- 
agency effort working with the Chief Technology and Information 
Officers of each of the Federal agencies to ensure that they use 
best-in-class technologies and share best practices.” 

In November of 2008, the President reiterated his intentions, and 
again quoting from the President-elect’s website that he would “ap- 
point the Nation’s first Chief Technology Officer to ensure the safe- 
ty of our networks.” Before that, it said “ensuring the security of 
our networks.” So whether you envisioned your role being an advi- 
sor, the President said you were responsible. That is what “ensur- 
ing” means. As a CIO, and as a Project Manager, I know what “en- 
suring” means. It was your job to ensure the safety and security 
of those networks, at least according to what the President was 
telling the American people. 

So I want to go to your role as the co-Chair of the ACA IT Ex- 
change Steering Committee. If I look at the charter that set that 
up, one of the responsibilities in there is to direct the formulation 
of workgroups to identify the barriers and recommend fixes and 
those kind of things, and two of those working groups were directly 
related to data-sharing and privacy and security harmonization. 
What was your role then as the co-Chair? You either misrepre- 
sented your knowledge of cybersecurity to the President or you 
didn’t do your job. Which was it? 

Mr. Park. So thank you for the opportunity to address I think 
a couple different questions embedded in there. And I respect your 
service as technologist, sir, to the country. 

So the position of U.S. CTO has evolved quite a lot I think over 
the years. And what I can represent is what I did in the role, and 
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cybersecurity ops for the Federal Government has very much not 
been part of my role. 

Mr. Johnson. I don’t want to use the whole time just pontifi- 
cating, Mr. Park. When you were with Athenahealth, was 
cybersecurity a part of what you considered important in standing 
up that cloud-based system? 

Mr. Park. Sure. 

Mr. Johnson. It was? 

Mr. Park. Um-hum. 

Mr. Johnson. Okay. On September the 2nd of 2013, you sent an 
email to Christopher Jennings. It said, “Hi, Chris. Here are the 
cybersecurity background points for you. The first three are the 
points CMS put together previously, which I am sure you have al- 
ready seen. They are followed by a couple of points about next 
steps currently underway.” So are you trying to tell this Committee 
that you knew nothing about the security failures and the security 
risks associated with HealthCare.gov? 

Mr. Park. Would you mind just pointing me to the email that 
you are referencing? I think it is 

Mr. Johnson. I am not sure where it is in your tab, but I have 
got it here. I don’t know where it is in your tab. 

Mr. Park. Well, okay. Let me just speak to the episode that I 
think you are talking about, but long story short because I know 
we have very little time left, so the content that was put together 
for Office of Health Reform on cybersecurity was content supplied 
by CMS and HHS. 

Mr. Johnson. But, Mr. Park, there you are being disingenuous 
again. You are the Nation’s CTO appointed by the President to en- 
sure the safety and security of our networks. You can’t just say this 
was CMS’s responsibility. And let me remind you that you can del- 
egate responsibility to people that do the actual coding, to Project 
Managers and Program Managers, but you can’t delegate account- 
ability. 

Mr. Park. So again, sir 

Mr. Johnson. And you were responsible. You are accountable to 
the President and to the American people. Now, you have testified 
this morning that you briefed the President several times. Did you 
ever once tell the President that you had concerns about the secu- 
rity of the system in your role as Chief Technical Officer and co- 
Chair? 

Mr. Park. So, again, to go back to I think a fundamental mis- 
understanding, in my role as U.S. CTO I haven’t been — the 
cybersecurity operations hasn’t been a focus 

Mr. Johnson. But it was as co-Chair of the Steering Committee. 
It was clearly in the charter, the co-Chair of the Steering Com- 
mittee. You did have that responsibility. 

Mr. Park. I was co-Chair on a — one of three co-Chairs on a com- 
mittee organized by 0MB and there was a privacy security sub- 
group, as you have mentioned. 

Mr. Johnson. But 

Mr. Park. That was staffed and led by agency personnel and was 
really self-propelled and driven by them. The point of us as co- 
Chairs was to provide a neutral venue where they could get to- 
gether to do that work. 
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Mr. Johnson. Well, that is not my reading of the charter, but my 
time has expired, Mr. Chairman, and I will yield back. 

Chairman Broun. Thank you, Mr. Johnson. 

Now, I recognize my friend Eric Swalwell for five minutes. 

Mr. Swalwell. Thank you, Mr. Chairman. 

I also would like to take a moment to thank you for your service 
and you served two years as Ranking Member and four years as 
Chairman of this Committee and you have always conducted your- 
self and your chairmanship with dignity and courtesy. And I know 
Mr. Maffei has also shared that with me privately. And so I wanted 
to thank you for that. 

Today may be a day of disagreement but I sincerely believe that 
if we conduct this hearing fairly, as we have in the past, that we 
will emerge as a more — we will emerge with a better under- 
standing of what Mr. Park did and, most importantly, did not do 
with respect to HealthCare.gov. 

Fairness is particularly important because this hearing has the 
feeling quite frankly, as a former prosecutor, of a trial, and the 
only witness before us is Mr. Park. The title of the hearing implies 
that we are going to examine his involvement in the development 
of the HealthCare.gov website, but most significantly, a staff report 
released by you, Mr. Chair, and Chairman Smith on October 28 
functions as a prosecutor’s memorandum that makes very damning 
allegations regarding Mr. Park’s honesty before the Committee on 
Oversight and Government Reform and Dr. Holdren’s candor in his 
replies to this Committee regarding Mr. Park’s involvement in 
cybersecurity. As a former prosecutor, I believe that allegations 
made against Mr. Park can place him in legal jeopardy. He de- 
serves a chance to tell his own story and put these allegations to 
rest and I believe he can do that. 

Mr. Park is a successful entrepreneur in the IT world who took 
a break from developing successful companies to come to Wash- 
ington, D.C., to help the government and the country think of cre- 
ative ways to use information technology to improve our economy 
and address important social problems. He is a patriot and he is 
a son of immigrants who have played their own role in keeping the 
American economy vibrant and expanding. Mr. Park’s parents, I 
understand, are here today, as is his wife, as is his pastor and 
friends from the IT business world. 

I mention this to remind all Members to not confuse their feel- 
ings towards the Affordable Care Act with Mr. Park as a person. 
He served the public and did his best and should be thanked for 
his contributions. In fact, Mr. Park has returned to the Bay area, 
and I know people personally who have been contacted by Mr. Park 
who he is trying to recruit to bring bright, young, innovative stars 
to the IT world and to take a break from the multimillion dollar 
contracts that they have in Silicon Valley, come out to Washington, 
D.C., and try and solve problems. I cannot imagine that this helps 
him make that case. In fact, this probably makes it much harder 
for him to make that case, to go through a process like this. 

I have reviewed a minority staff report, which I ask to be made 
part of the record, built on a complete review of the documents pro- 
duced by the White House. The staff makes a very strong argu- 
ment supported by White House documents that Mr. Park did not 
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have a deep, direct, or intimate involvement in any of the work of 
developing the online marketplace launched on October 1, 2013, or 
the cybersecurity standards and techniques used for the site. If he 
was playing such a role, there should be monthly progress reports 
from contractors that show progress against deliverables and re- 
quirements, costs of work, a critical path analysis that identifies 
where problems threatened the successful launch, and a discussion 
of the integration process for the site across an army of contractors 
on the project. 

None of these documents have been produced because Mr. Park 
was not the day-to-day manager on the project. Nor are there any 
kind of documents that any of the contractors produce doing the ac- 
tual work could possess, which would result or include a discussion 
of code, performance, and testing results. Those documents can be 
found at CMS, which managed this complex acquisition among the 
contractors. 

I believe that Mr. Park’s job was about trying to push technology, 
and the record and evidence supports that, technology throughout 
all levels of the country to improve our competitiveness and quality 
of life. As just one example, Mr. Park drove an initiative to find 
innovative methods to use IT and big data to combat human traf- 
ficking. I don’t think there is any Member who favors human traf- 
ficking. That is about as nonpartisan as an initiative as you can 
get. Mr. Park was working full-time in a much wider swath of 
issues and areas than HealthCare.gov. Members, I hope, will not 
lose sight of that and get tunnel vision about Mr. Park simply be- 
cause we have such a narrow set of records. 

I believe that if Mr. Park is given a fair chance, a fair oppor- 
tunity to answer questions here today, that Members on both sides 
of the aisle will conclude that Mr. Park was not a principal actor 
in the development of HealthCare.gov prior to October 1, 2013, and 
had no role in developing cybersecurity standards or techniques for 
the website. 

Mr. Park, I am going to apologize to you now for the way you 
have been treated and I am hopeful that you will get apologies 
from the Chairman and other Members by the end of this hearing. 

Thank you, Mr. Chair. 

Mr. SWALWELL. And, Mr. Chair, I understand that the Chair will 
yield to me five minutes of questions, which I also appreciate. 

Chairman Broun. And you are recognized for five minutes for 
questions. 

Mr. SWALWELL. Mr. Park, you are not a cybersecurity expert, are 
you? 

Mr. Park. I am not. 

Mr. SwALWELL. Mr. Park, the White House provided several 
emails from you to CMS relating to cybersecurity. Was there ever 
a time where you were writing to CMS to give them direction on 
cybersecurity standards, design, testing, or tools? 

Mr. Park. Not that I can recall, no. 

Mr. SWALWELL. When you wrote to CMS, Mr. Park, about 
cybersecurity, you were doing it because someone at the White 
House had asked you to gather information, whether for a briefing 
or meetings or to use as a press event for the White House, is that 
correct? 
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Mr. Park. Correct. 

Mr. SWALWELL. When Dr. Holdren wrote to this Committee that 
“Mr. Park and OSTP personnel have not heen substantially in- 
volved in developing or implementing the federally facilitated mar- 
ketplaces security measures;” and “Mr. Park is not a cybersecurity 
expert. He did not develop or approve the security measures in 
place to protect the website and he does not manage those respon- 
sible for keeping the site safe.” Is every element of the statement 
made by Dr. Holdren that I just read correct? 

Mr. Park. Yes, sir. 

Mr. SwALWELL. Henry Chao ran the website development for 
CMS and Mr. Chao told the White House — told the House Over- 
sight and Government Reform Committee that he did not run the 
cybersecurity side of development. With 100 percent confidence do 
you know before October 2013 who was in charge of cybersecurity 
on this process? 

Mr. Park. I believe it was Tom Shankweiler, but I am not 100 
percent sure he was the leader. 

Mr. SwALWELL. Henry Chao, who was doing the day-to-day man- 
agement of the development of HealthCare.gov, was interviewed by 
the staff of the House Oversight and Government Reform Com- 
mittee. He was asked if you Todd Park played a management role 
and replied that — this is Mr. Chao’s words — ^you “didn’t own any- 
thing meaning he didn’t have the budget, the staff, the contractors, 
so the day-to-day management really still falls to the operating 
agencies.” Is this an accurate statement, Mr. Park? 

Mr. Park. Yes, sir. 

Mr. SwALWELL. Were you a manager on the HealthCare.gov 
website? 

Mr. Park. I was not a hands-on project manager, sir, as I have 
described. I did assist in particular ways that I have testified to 
earlier. 

Mr. SWALWELL. Did you have any control, authority over budg- 
ets, staff, or contractors? 

Mr. Park. No, sir. 

Mr. SwALWELL. And you asked Mr. Chao about attending the 
July 19 Readiness Review, which was to be an end-to-end review 
with all of the contractors about the state of the program. Initially, 
Mr. Chao said yes. Then you mentioned in an email to Michelle 
Snyder, Mr. Chao’s supervisor, that you were going to be a “fly on 
the wall at the event.” And then Ms. Snyder responds that “flies 
on the wall are seldom invisible and are often distracting.” Then 
Mr. Chao writes a letter that the review is not the place for an ob- 
server. Did you go to this meeting? 

Mr. Park. I do not. 

Mr. SwALWELL. You spoke with Mr. Chao and Ms. Snyder about 
getting a walk-through of the live website system as it was devel- 
oping in mid-July. People are alleging that you were deeply in- 
volved in the implementation and development of the site so I as- 
sume that you got that walk-through very quickly? 

Mr. Park. As I recall, I believe the walk-through ended up hap- 
pening with me and other officials in early September. 

Mr. SwALWELL. Now, was that a walk-through that was exclusive 
to you or were there other officials present? 
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Mr. Park. Other officials were present. 

Mr. SWALWELL. Those managing or directing multibillion-dollar 
developmental projects always get a core set of document to track 
progress. Usually, it is in the form of a monthly report from con- 
tractors that show their performance on requirements, the dollars 
spent, the value achieved, and the critical path issues. Without 
these detailed reports, Mr. Park, is it possible to have a detailed 
knowledge of how a project is going at an on-the-ground level? And 
if so, did you have any reports that would inform you on this? 

Mr. Park. You need those kinds of reports, and frankly, you need 
more. You need to be on the ground. 

Mr. SWALWELL. And were you on the ground? 

Mr. Park. No, sir. 

Mr. SwALWELL. Did you have those reports? 

Mr. Park. No, sir. 

Mr. SWALWELL. Mr. Chairman, being a spokesperson or collecting 
talking points for a briefing does not translate into intimate in- 
volvement in the development and testing of the website. Mr. Park 
was not managing the acquisition, he was not directing the devel- 
opment or designing the cybersecurity system, and he sure as heck 
was not a contractor down in the trenches writing code, which I 
think is pretty apparent from his testimony. He was the Chief 
Technology Officer of the United States with the broad portfolio 
ranging from human trafficking to other important technology ad- 
vising, and he did a lot more work with that portfolio than any two 
normal people could pull off. But at some point the actual evidence 
has to guide our opinion of Mr. Park, which is that he was not inti- 
mately involved in the development of HealthCare.gov. 

And I yield back. 

Chairman Broun. Thank you, Mr. Swalwell. 

And you remind me that, without objection, we will enter in the 
record our own majority staff report. 

[The information appears in Appendix II] 

Chairman Broun. Without objection, the Chair recognizes Ms. 
Bonamici for five minutes to ask questions. 

Ms. Bonamici. Thank you very much, Mr. Chairman, and thank 
you for allowing me to participate in this Subcommittee hearing. 
Even though I do not serve on this Subcommittee and do serve on 
the full Committee, it is an area of interest to me and I am glad 
to be here today. And I want to thank Mr. Park for being here and 
withstanding this line of questioning that frankly concerns me. I 
want to align myself with the remarks made by my colleagues Mr. 
Peters and Mr. Swalwell. 

When we have someone who has come and given so much to this 
country from the private sector and done so much, we want to 
make sure that we send a message to the American public that we 
appreciate your sacrifice and all of your hard work, Mr. Park. And 
I would imagine that when you said yes when you were asked to 
come and serve your country, you never imagined that you would 
be sitting in a Subcommittee hearing with what appears to be a 
game of gotcha about a whole series of emails. 

So I want to start by, again, saying thank you so much for your 
service. As someone who represents a district in Oregon with a lot 
of high-tech industry and innovation, I appreciate all you have 
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been doing and understand that the drive for IT innovation to im- 
prove service delivery is something that we can all benefit from, so 
thank you for your expertise. 

Mr. Park. Thank you, ma’am. 

Ms. Bonamici. You are welcome. And apologies for perhaps being 
a bit repetitive on some of these issues, but I just want to make 
sure a couple of things are clear and that is what happens when 
you go last is that sometimes you sound like you are being repet- 
itive. 

But I know that the title on the majority’s report says something 
about “knowingly put Americans’ sensitive information at risk.” 
And that is the title of the report. So, Mr. Park, did your inter- 
actions with the Administration personnel working on 
HealthCare.gov give you any cause to worry that they would know- 
ingly put Americans’ sensitive information at risk? 

Mr. Park. Not that I can recall, no. 

Ms. Bonamici. Thank you and I understand from the documents 
that were provided to us by the majority, what we have been look- 
ing at here is numerous emails that were exchanged with members 
of the Administration and officials on the subject of 
HealthCare.gov, but what we have not seen is what must be many 
emails that you have exchanged with them on other efforts that oc- 
cupied your time. I know, for example, that you worked on the Con- 
nectED initiative, and given my role on the Education Committee, 
I am grateful for your efforts with that as well. 

So we heard about a couple of other areas that you worked on 
but I understand that you oversaw at least 15 initiatives, including 
HealthCare.gov. So would you care to tell us a little bit about a few 
of those others just so we can understand the breadth of what you 
were doing? 

Mr. Park. Sure. And just to be specific, I think the 15 you are 
referring to, these are initiatives that I was either championing or 
co-championing. That didn’t include HealthCare.gov. Advice and 
assistance to HealthCare.gov was something I classified into a 
chunk of my time that was set aside for reacting and helping on 
issues as they arose. 

But in terms of the 15 or so initiatives that I was directly help- 
ing to drive, as I described earlier, they included open data initia- 
tives to help unlock the power of the data inside the Federal Gov- 
ernment by making it available in machine-readable form for the 
public so that entrepreneurs and technologists could grab it and 
turn it into all kinds of incredible services and products and im- 
provement in life and jobs, much as the National Weather Service’s 
release of weather data has really powered all kinds of innovation 
in weather and jobs as a result. 

I championed a set of initiatives, as has been described, to do 
things like harness the power of private sector technologists and 
innovators to help fight the evil of human trafficking, rallying 
innovators to build tools that could help with that. I similarly did 
the same thing to help improve American disaster recovery and re- 
sponse. I worked on policy initiatives like how to advance a free 
and open internet, how to actually share wireless spectrum more 
efficiently and effectively across the country as demand for spec- 
trum continues to increase significantly. 
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I was a cofounder of the Presidential Innovation Fellows Pro- 
gram that brings in amazing technologists from the private sector 
to work with the best technologists in government on all kinds of 
exciting initiatives like Blue Button and Green Button to help 
Americans get access to their own health data, their own electricity 
usage data, and more. 

Ms. Bonamici. Well, thank you. And I think we get a sense from 
that of many of the areas where you do have expertise and where 
you did serve our country. And I want to suggest that the time on 
the Science Committee would have been much better spent on talk- 
ing about some of those issues like open access, like innovation in 
healthcare technology rather than trying to get you to say that you 
are an expert on cybersecurity, which obviously from everything 
that I have read and seen and heard, you are not on this issue. 

So thank you again for spending your time here. Thank you for 
your service. And I hope that we can have you come back sometime 
and talk about those areas that the public would really be inter- 
ested in hearing about. That to me, Mr. Chairman, would be a 
great use of Science Committee time. 

Thank you again, Mr. Park, for your service. 

Mr. Park. Thank you, ma’am. 

Chairman Broun. Thank you, Ms. Bonamici. Your time is ex- 
pired. 

Before we adjourn, I would like to give myself some leeway as 
Chairman of this Subcommittee for the last time with one last 
question for you, Mr. Park. 

Mr. Park. Yes, sir. 

Chairman Broun. One of your emails provided to the Committee 
late last Friday was one on October the 10th where you forwarded 
an article that you had read by David Kennedy, a “white hat” hack- 
er, who has testified twice before this Committee about his concern. 
And the headline from that article was “Is the Affordable 
Healthcare Website Secure? Probably Not.” Mr. Park, if you want 
to refer to it, it is in tab 15 in your binder. 

Mr. Park. Thank you, sir. 

Chairman Broun. You even commented about David Kennedy’s 
article that “This got sent to me by someone who says these guys 
are on the level.” Other documents provided to the Committee 
show that several other cybersecurity experts expressed concerns 
with the security of the website around that same time. Mr. Park, 
do you think that David Kennedy’s concerns with the security of 
the website are on the level? 

Mr. Park. So thank you for the question. As I recall, this did get 
sent to me by someone who thought that TrustedSec was someone 
that was worth paying attention to. I can’t comment on that 

Chairman Broun. Do you think he is on the level, yes or no? 

Mr. Park. I don’t have the judgment — the knowledge of 
cybersecurity to say and so that is why I forwarded it immediately 
to CMS, which then evaluated it, and had the response that you 
see. 

Chairman Broun. Are you being level with us today? 

Mr. Park. Yes, sir. Absolutely. 

Chairman Broun. Okay. According to a news report, it says that 
you reportedly briefed President Obama, Vice President Biden, 
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Health Secretary Kathleen Sebelius, and others about the problems 
with the website only a few days after reading David Kennedy’s re- 
port. Did you ever express the warnings that were in David Ken- 
nedy’s report about the lack of security with the website to the 
President or others in the White House in that October meeting or 
any other previous meetings? 

Mr. Park. So, again, as I think this email demonstrates, I for- 
warded this to CMS right away and CMS responded saying CMS 
acknowledges this feedback by the security committee, analysis 

Chairman Broun. So just forwarding the email was the only 
warning that you gave to anyone, is that correct? 

Mr. Park. Well, it says, “Analysis of the code and review of the 
operational environment has confirmed the site is secure and oper- 
ating with low risk to consumers,” which then got forwarded back 
to me. 

Chairman Broun. So it is — but that was the only warning you 
gave anybody, is that correct? 

Mr. Park. Well, sir, again, cybersecurity is handled by CMS, and 
I think they 

Chairman Broun. I am just asking. That is a yes-or-no question. 

Mr. Park. So I just — I can report what happened, which is I sent 
this 

Chairman Broun. Okay. 

Mr. Park. — asked them to evaluate it 

Chairman Broun. I take that that 

Mr. Park. — and got a response. 

Chairman Broun. I take that that the answer is no. 

Mr. Park, I want to thank you for finally appearing before this 
Committee and I am sorry that we had to 

Mr. SWALWELL. Mr. Chairman, may I have a follow-up question, 
please? 

Chairman Broun. No, sir. 

Mr. SwALWELL. Okay. 

Chairman Broun. We have got to adjourn. 

Mr. SwALWELL. May I have a follow-up briefly, Mr. Chair? 

Chairman Broun. Mr. Park, I am sorry we came to the point 
where we had to subpoena you to come before this Committee, but 
thank you for coming, even possibly under duress. 

But obviously people can disagree about whether you were deeply 
involved or not with the HealthCare.gov website. While I thank 
you for your government service, the fact remains that the rollout 
of the HealthCare.gov website last year was a debacle, and that is 
not my assessment but that of Health Secretary Kathleen Sebelius. 

My assessment of this situation remains that you and others in 
the White House have been neither forthright nor forthcoming 
about your role and responsibilities at the White House. Integrity 
in government is integral to the public’s faith in our democracy, 
thus, our Nation’s leaders must be open and honest with our fellow 
Americans and respect the roles of the executive branch and Con- 
gress, as articulated in our Constitution. 

The fact remains that the White House still has not provided all 
the documents pursuant to the Committee’s subpoena. We have 
asked for them, we subpoenaed them, we still haven’t gotten them. 
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And perhaps that is why people still disagree about your role in the 
debacle. 

Eternal vigilance is the price we pay for our liberty. To that end, 
the Committee maintains that all documents pursuant to the sub- 
poena be provided and we ask for the Administration to please pro- 
vide those expeditiously. After a more thorough assessment of 
these documents, you may be called to appear before us again, Mr. 
Park, in order to one day reach a better understanding. While I 
may no longer be in Congress on that day, the Committee’s vigi- 
lance on this matter will carry on. 

Honest people can fundamentally disagree and we have seen that 
today. For example, you believe that ObamaCare will be a great 
thing for Americans, but I think too much of it was predicated on 
a lie. As a medical doctor, I believe that ObamaCare is the wrong 
prescription for what ails our nation’s healthcare system, but that 
is a debate for another time. 

And with that, I want to thank you, Mr. Park, for appearing be- 
fore us today, and the Members for their questions. The Members 
of the Committee may have additional questions for you, Mr. Park, 
and we will ask that you respond to those in writing, please, and 
do so expeditiously. 

I want to thank my friend Dan Maffei and Eric Swalwell for you 
all working with me through this process. It has been a great expe- 
rience for me, and I consider you a friend and consider Dan a 
friend and I consider all of your staff to be excellent. It has been 
great working with you all. I had the opportunity to work with Ms. 
Bonamici also, and I enjoyed working with her, as I told her earlier 
today. She just left, but it has been a great experience, and I have 
been tremendously honored by chairing this Subcommittee. 

The record will remain open for two weeks for additional com- 
ments and written questions from Members. The witness is ex- 
cused. The hearing is adjourned. 

Mr. Park. Thank you, sir. 

[Whereupon, at 11:47 a.m., the Subcommittee was adjourned.] 
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Answers to Post-Hearing Questions 

Responses by Mr. Park 

Mr. Todd Park, former Chief Technology Officer of the United States, 
Office of Science and Technology Policy (OSTP) 

RESPONSES TO QUESTIONS FOR THE RECORD 
“The Role of the White House Chief Technology Officer 
in the HeaIthCare.gov Website Debacle.” 

U.S. House Committee on Science, Space, and Technology 
Subcommittee on Oversight 

Wednesday, November 19, 2014 


Onestions submitted by House Science, Space, and Technology Committee Chairman Lamar 
Smith and Oversight Subcommittee Chairman Paul Broun 

1. During the early construction and developmentofHeaithCare.gov, including the 

Federally Funded Marketplace (FFM), were security issues ever raised, and if so, when 
were you made aware of them, by whom, and did you ever share those concerns with the 
President or anyone else at the White House? 

a. Given the: (i) risks that were represented in the McKinsey report; (ii) risks that 
Michelle Snyder mentioned to you in the days leading up to the website; and (iii) 
the fact that CMS Administrator Marilyn Tavenner was going to make sure that 
the website launched on October 1, 2013, no matter what (Enclosure 1), at what 
stage in the development of the website and FFM was security fully implemented 
in compliance with federal standards? 

Response: 


During the early construction and development of the Federally Facilitated Marketplace prior 
to its launch, 1 do not recall being made aware of particular problems with the security (i.e., the 
defenses against malicious cyberattack) of the Marketplace. My recollection of the McKinsey 
“red team” work in early 2013 was that it focused on how the project to develop the Federally 
Facilitated Marketplace was being executed in general, focusing on the development of the 
user-facing consumer experience, and how to improve the management of the project in this 
regard — as opp>osed to being focused on security. With respect to Michelle Snyder’s 
comments in the email chain to which I believe the question is referring, the thrust of that email 
chain was an effort to bring in additional hardware capacity to reinforce the Marketplace’s 
ability to support user load, rather than being a discussion about security. CMS is the best 
source of information regarding the security operations of the Marketplace, including when 
various certifications were issued in accordance with Federal requirements. 
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2. In your deep-dive sessions or status updates of HealthCare.gov, did anyone ever mention 
that an “end-to-end” test had been performed on the website? Were there ever any 
concerns about the website’s functionality and security during these meetings? If so, what 
was conveyed to you and what did you do with that information? 

Response: 


In the particular sessions in which I participated prior to the launch of the Federally Facilitated 
Marketplace, I do not recall whether anyone mentioned that an end-to-end test had been 
performed. My recollection is that the McKinsey “red team” sessions in which I participated 
in early 2013 identified risks with respect to general project execution and the development of 
the user-facing consumer experience and recommended a series of actions to address these 
risks; this red team exercise did not focus on the cybersecurity defenses of the Marketplace. 

As discussed in my testimony, the red team’s analysis of project risks and recommended 
actions to address them were communicated to CMS, HHS, and White House senior 
leadership, and CMS agreed to adopt the key recommended actions, with the support of HHS 
and the White House. As with any large undertaking, I remember CMS from time to time 
explaining challenges they were working through to develop the Marketplace. In particular, I 
can recall specific open user-facing feature and functionality questions that were raised in 
discussions and that 1 worked to help resolve. As examples: I was asked by the White House 
Office of Health Reforar to help assess whether it was feasible to add insurer logos to the 
display of insurance plans in the Marketplace; after talking with CMS about what such an 
effort would involve, the opinion I expressed to the Office of Health Reform was that it was 
not pmdent to try to do so during this open enrollment season. I was also asked to assess 
CMS’s desire to push Spaiiish-language ftinctionality to a post-October 1, 2013 deployment 
date; after talking with CMS, my assessment was that this made sense, which I conveyed to 
White House leadership. As discussed in my testimony, I was also asked by CMS to see if I 
could help facilitate getting additional hardware transported to the data center hosting the 
Marketplace in order to provide additional server capacity; I provided assistance as asked; 
CMS’s progress in this effort was tracked by CMS senior leadership and the White House 
Office of Health Reform; and my understanding from CMS was that the additional hardware 
was successfully transported to the data center and brought online. 


3. Where was the quality control on the software development lifecycle and why did 
Americans see and experience so many issues during the initial rollout? 

Response: 

In retrospect, the significant issues experienced by the Federally Facilitated Marketplace at 
launch reflect fundamental issues with how the Federal Government develops and deploys 
digital services - issues that have built up over decades and which have resulted in too many 
government digital service projects performing sub-optimally or worse. It is of vital 
importance that the Federal Government continue to accelerate efforts to (a) bring more of the 
best technology talent into government, revamping how we recruit, hire, and train personnel 
involved in all aspects of the development and operation of digital services for the public; (b) 
help attract more ofthe best armpanies into working with government, companies with strong 
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competency in modem digital service development approaches and techniques, which have 
been too often discouraged from competing for government contracts due to the complexity 
and archaic nature of traditional government procurement practices; and (c) radically revamp 
the process via which the government develops digital services in accordance with private 
sector best practices, including the utilization of agile, iterative approaches to software 
development, best-practice product management techniques, and contracting and budgeting 
practices that support these. 


4. The following quote comes from your bio previously posted on the OSTP page: 

“In 2013, the President called on Park, a highly accomplished health IT entrepreneur, to 
help with the successful turnaround of HealthCare.gov. Park, teamed with JeffZients, 
assembled and led the tech surge that overhauled HealthCare.gov, ultimately enabling 
millions of Americans to sign up for quality, affordable health insurance. ” 

As part of the effort to improve functionality after the website’s launch, what specific 
steps did you take relative to the website’s security, including security of people’s 
personal information? 

a. What tests did you run on the wehsite to ensure the level of effectiveness of 
security on the wehsite? 

b. Was there ever end-to-end or comprehensive testing done? 

c. Did you address what a September 2014 GAO report described as existing 
weaknesses “in the processes used for managing information security and privacy, 
as well as the technical implementation of IT security controls?”' 

Response: 

My role in the turnaround ofHealthCare.gov and the Federally Facilitated Marketplace post 
October 1, 201 3 focused on helping to reduce the amount of time the site was down, improve 
the site’s speed, improve its ability to handle high user volume, and improve user-facing 
functionality (defined as user-facing features and workflow). My work did not focus on the 
security of the website - which continued to be handled by a dedicated CMS security team; 
CMS is the best source of information regarding the security operations of the website. 


5. Given your expertise and your involvement with HealthCare.gov, were you surprised to 
learn that the wehsite was successfully hacked this summer? Do you know or have you 


’ “HealthCare.gov ” Actions Needed to Address Weaknesses in Infonnation Security and Privacy Controls,’" GAO, September t6, 
2014, available at: httn://vvww.gao.gov/oroducts.tCiAO-t4-7tO . (Emphasis added). 
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been made aware of any other incidents where personally identifiable information (PII) 
may have been illegally obtained through HealthCare.gov? 

Response: 


As context, my knowledge of the incident to which the question refers is second-hand - CMS 
will have more direct information. As far as I am aware, no personally identifiable 
information was compromised in the incident. I am not aware of any incidents in which 
personally identifiable information has been illegally obtained through HealthCare.gov. 


6. As you may know, there ts no obligation on the federal government to disclose if 

Americans’ sensitive personal information were breached in a cyber-attack. The House 
has passed legislation that requires HHS to notify people if their information is stolen 
from HeaithCare.gov. As a former private businessman, HHS CTO and U.S. CTO, do 
you believe that the federal government should be required to inform Americans 
whenever their information is compromised from HealthCare.gov, and if so, how 
quickly? 

Response: 

1 haven’t reviewed the legislation to which this question is referring. With respect to the 
legislation and this question in general, 1 would want to seek the opinions of sources such as 
OMB before forming my own views. 


7. At the .November 19, 2014 hearing, you mentioned that you met with the President on at 
least two occasions regarding the status of HealthCare.gov. How many HealthCare.gov 
briefings did you actually participate in where the President was present? 

a. When was the first time you talked to the President about the security and privacy 
aspects ofHealthCare.gov? 

b. Did you ever discuss the operational readiness ofHealthCare.gov with the President? 
If so, when, and what did you tell him about the website’s security? Did you discuss 
any testing that had been done to ensure its readiness? 

c. Was there ever a discussion about postponing the launch of the website? If so, did the 
President ever suggest a delay? Did you ever suggest to the President that he consider 
delaying the launch of the website? 

Response: 


The two meetings on the implementation of the Affordable Care Act that included the 
President and senior White House leadership that I mentioned in my testimony at the hearing 
are the only tw'o such meetings in which I can recall participating prior to the launch of the 
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Federally Facilitated Marketplace. In the first meeting, which was in April 2013, there were 
multiple presenters, and my role was to talk for approximately ten minutes and summarize the 
findings of the early 2013 McKinsey “red team” exercise - which identified general project 
execution and user-facing consumer experience risks and recommended a series of actions to 
address those risks and improve how the project was operating. In the second meeting, which 
was in July 2013, my role among the presenters was to discuss, for approximately ten minutes, 
follow-through on key red team recommendations (CMS agreed to adopt them all, with HUS 
and White House support) and CMS’s assessment of the current status of efforts to complete 
the intended functionality of the Marketplace. As I recall, the McKinsey red team exercise’s 
work did not focus on cyhersecurity, and in neither meeting did my talk discuss the site’s 
cybersecurity defenses. With respect to postponing the launch of the website, I do not recall a 
discussion considering a delay of the launch of the wehsite at either of those two meetings. 


8. At the Oversight and Government Reform hearing in November, 2013, Rep. Jim Jordan 
noted that according to White House logs, you attended nine White House meetings run 
by Ms. Jeanne Lambrew, to which you acknowledged attending meetings from “time to 
time”^ on the subject of the Affordable Care Act. How many of these meetings included 
discussion of the ACA and HeaithCare.gov website, and what was your role in the 
meetings? 

Response: 

Prior to October 1 , 20 1 3, 1 was in meetings run by Jeanne Lambrew from time to time on the 
subject of the Affordable Care Act. To the best of my recollection, meeting topics included 
matters related to the development of particular regulations, outreach efforts, and Affordable 
Care Act implementation. I am not certain how many meetings specifically included 
discussion ofHealthCare.gov and the Federally Facilitated Marketplace, but believe that a 
number of them did. My role in such meetings was generally to listen to presentations made 
by others and to offer thoughts and assistance in places where this would be helpful. 


9. Who did you most frequently meet with to discuss the Affordable Care Act and/or the 
HealthCare.gov website? Who at the White House did you most frequently meet with? 

Response: 

Prior to October 1, 2013 (the time period to which I am assuming this question is referring), the 
people with whom I recall most frequently discussing the Affordable Care Act and/or the 
Federally Facilitated Marketplace were CMS management (including Michelle Snyder and 
Henry Chao), the White House Office of Health Reform (including Chris Jennings and Jeanne 
Lambrew), and the Office of Management and Budget (including Steve VanRoekel). 


^ ‘’Obamacare Implementation - The Rollout ofHealthCare.gov,” House Oversight and Government Reform Committee, November 1 3, 
20!3, avaiiabie at: 

httD://oversight.hQuse.gov/wp-content/uploads/20}4/06/M-l3-13-TRANSCRIPT-Obamacare-Iinplementation-The-Rollout-of-HeaIthCar 
e.aov .pd f. (Hereinafter OGR Transcript). 
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10. Did you ever have a conversation about the operational readiness of HealthCare.gov 
with Dr. John Holdren, OSTP Director? If so, please describe in detail what was 
discussed? 

Response: 

I do not recall having conversations with Dr. Holdren about the operational readiness of 
HealthCare.gov. T would let Dr. Holdren know from time to time when I was asked to spend 
time assisting with HealthCare.gov, but I do not recall briefing him in a substantive way about 
the content of this work. 


1 1 . Referring to Enclosure 2 of this document, did the additional hardware from Verizon 
that you helped Mr. Chao order in the days leading up to the website launch perform as 
yon expected? 

a. Who suggested that additional hardware was needed? 

b. Is it typical to order and implement new hardware into a system hours before it is 
to be released to tbe public? If not, please explain the risks in doing so? 

c. Were you concerned by the need to implement new hardware hours before the 
website launch? If not, why? 

d. Why was the new hardware needed? Please describe the mistakes that lead to the 
need for this last minute fix. 

e. Was the White House made aware of the issues that require this last minute fix? 
Who informed them? 

Response: 

My understanding from CMS, which was the on-the-ground manager of what was happening, 
was that the additional hardware was successfully transported to the data center hosting the 
Marketplace and brought online. My recollection is that it was CMS’s idea to seek to bring in 
additional hardware, to add capacity to the system. In my experience, it is not a rare 
occurrence to add server capacity on rapid timeframes to help increase system capacity. 

During the work to turn around and improve the Federally Facilitated Marketplace post 
October 1, 2013, our team added hardware and server capacity on rapid timeframes on multiple 
occasions — work that does need to be done with care and skill to ensure success. Based on 
my conversations with CMS management at the time, my understanding of why CMS moved 
to add more capacity prior to October 1 was due to the need to expand capacity given load 
testing results and in anticipation of high demand. As T recall. CMS made the White House 
(including me and the White House Office of Health Reform) aware of this effort. As 
previously discussed, CMS asked 
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me to help facilitate getting additional hardware transported to the data center hosting the 
Marketplace; T provided assistance as asked. CMS’s progress in this effort was tracked by 
CMS senior leadership and the White House Office of Health Reform; my understanding from 
CMS was that the additional hardware was successfiilly transported to the data center and 
brought online. 


12. Referring to Enclosure 3, in the ACA Exchange IT Steering Committee meeting minutes, 
it notes that you were engaged in discussion on NIST Level 2 inter-mechanics. Who did 
you speak with and what was discussed? 

Response; 

My recollection is that CMS asked OMB and me — as per the Steering Committee’s mission to 
provide a neutral venue in which agencies could work through interagency items — to facilitate 
a conversation in which CMS, SSA, and IRS would discuss identity proofing. As part of my 
role as facilitator, via email and phone, I helped CMS connect with NIS T resources (including 
a NIST employee then on detail to OSTP whom NIST asked to join the conversation), so that 
CMS could access their expertise on and knowledge of identity proofing and the meaning of 
NIST Level 2; I am not an expert on such matters. My recollection is that CMS, SSA, and 
IRS ultimately came to agreement on the topic of identity proofing themselves in a generally 
self-propelled way. 


13. Besides the ACA Exchange IT Steering Committee meetings, what other meetings did 
you attend where the HealthCare.gov website was discussed? 

Response: 


In the period prior to October 1, 2013, in addition to the Steering Committee meetings, I 
attended a variety of meetings at CMS, HHS, and the White House which included discussion 
ofHealthCare.gov and the Federally Facilitated Marketplace (on various aspects of 
implementation, consumer outreach, and presentation to consumers), including the meetings 
discussed in my answers to Questions 7 and 8. Other than as described in my answer to 
Question 7, my role in such meetings was generally to listen to presentations made by others 
and to offer thoughts and assistance in places where this would be helpful. 
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14. In an email from Thursday, October 10,2013, (Enclosure 4) you emailed Marilyn 
Tavenner an article from TrustcdSec and stated, “this got sent to me by someone who 
says these guys are on the level.” 

a. Who sent you the TrustedSec article? 

b. Did this person email you the article? If so, did they email it to your work or your 
personal email account? 

Response: 

On October 10, 2013, Bryan Sivak, theCTOof HHS, sent me the TrustedSec article- via 
email, to my work account. I sent it to CMS for evaluation. CMS responded shortly 
thereafter, saying that its analysis and review confirmed that “the site is secure and operating 
with low risk to consumers.” 

As a note, in a subsequent conversation in an associated email, on a topic unrelated to the 
TrustedSec article, I stressed to the Administrator of CMS that it would be important for CMS 
to conduct thorough load testing and security testing of “Wave D,” which referred to new 
account management software functionality being developed by Marketplace contractor CGI 
that was potentially going to be deployed to help improve account management performance in 
the Federally Facilitated Marketplace. I was focused on this effort at the time (early October 
2013) because by that time, 1 was engaged tiill-time in the HealthCare.gov turnaround effort, 
working night and day to help address issues, including the ability for users to create accounts 
and log on to the system; this is why I was writing to the Administrator of CMS on the topic. 
The new account management software functionality represented by “Wave D” was ultimately 
not deployed, as an alternate path to account management performance improvement (work 
dubbed “Wave C-H-” and subsequent activity pursued by Oracle and others) proved successfitl. 
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15. In your testimony before Congress in November 2013, you disagreed with Rep. Jim 
Jordan’s characterization of you as the “head of information technology for the entire 
United States,”^ stating that you are the “technology and innovation policy advisor in the 
Office of Science and Technology Policy.”'* 

While you were evidently part of OSTP leadership as CTO, and yon state in your 
testimony that you joined “the White House Office of Science and Technology Policy as 
U.S. CTO,” OSTP Administrator John Holdren testified that you did not report to him in 
testimony he presented before the Committee earlier this year. 

a. What is the role of the U.S. Chief Technology Officer? If it has evolved over 
time, what changes in responsibilities have been made, and why? 

b. Who did you report to as U.S. CTO? Was the Presideut technically your direct 
supervisor or was there someone else to whom you reported? 

c. Did you ever brief Dr. Holdren about HcalthCare.gov? If so, at whose request, 
how often, and what did you convey to him? 

d. How did you distinguish between your responsibilities as advisor to the 
President and as leadership within OSTP? How did the OSTP staff who 
worked for you make that distinctiou? 

e. Was your salary as U.S. Chief Technology Officer paid through OSTP? 

f. Did anyone else at OSTP work on aspects of HeaIthCare.gov (including 
Presidential Innovation Fellows)? If so, who, and what did they work on? 

Response: 

My role as U.S. Chief Technology Officer was primarily to serve as an advisor across a broad 
portfolio of technology and innovation policy issues. 1 worked on open data policy and 
initiatives, wireless spectrum policy, how to advance a free and open internet, how to harness 
the power of technological innovation to fight human trafficking and improve disaster response 
and recovery, and more. My understanding is that my predecessor, Aneesh Chopra, the first 
U.S. CTO, also held the title of Associate Director for Technology, which carried with it the 
responsibility of overseeing Federal investment in technology research. When I assumed the 
role of U.S. CTO, unlike Mr. Chopra, I did not simultaneously take on the responsibilities of 
the Associate Director for Technology; this evolution was in order to enable me to devote the 
desired level of focus on technology and innovation policy. As to earlier conceptions of the 
U.S. CTO role, I cannot speak to those; I can speak to what I was asked to do in the role. 

I was also an Assistant to the President. I took general direction from the White House Office 
of the Chief of Staff and specific direction from different individuals with whom I would work 


^ Ibid. 
’ Ibid. 
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on each of the technology and innovation initiatives in which 1 was involved. 

I do not recall briefing Dr, Holdren about HealthCare.gov and the Federally Facilitated 
Marketplace in substantive ways. I would let Dr. Holdren know from time to time when I was 
asked to spend time assisting with HeaIthCare.gov, but do not recall briefing him in a 
substantive way about the content of this work. 

As fJ.S. CTO and part of OSTP’s leadership, I focused on technology and iiuiovation policy, 
consistent with OSTP’s mission. As an Assistant to the President, I held the same rank as Dr. 
Holdren, and therefore operated as his peer and as a partner, though Dr. Holdren holds overall 
raanagenient responsibility for the operations ofOSTP. 

OSTP paid my U.S. CTO salary. 

With respect to others working in OSTP, other than as specified in my answer to Question 12, 
my recollection prior to October 2013 is that I would from time to time ask an HHS detailee to 
attend a HealthCarc.gov-related meeting in my stead, to accompany me, or help with some 
aspect of follow-up work. Post October 1 , 2013, 1 asked a former Presidential Innovation 
Fellow who was an HHS assignee to help assist the effort to turn around the Federally 
Facilitated Marketplace. 


16. How many Affordable Care Act Steering Committee meetings were held and how many 
did you attend? How many of these meetings did the other two co-Chairmen attend? 

a. Did the Steering Committee stop meeting in early 2013, and if so, why? Did the 
meetings resume? 

b. As co-chairman, what was your role in these meetings? 

Response: 


The interagency Steering Committee meetings were organized and led by 0MB. My 
recollection is that they were scheduled to occur on an approximately monthly basis. As I 
recall, I attended a subset of the meetings, but not all of them, I believe that one or both of the 
co-chairmen from 0MB (or their proxies) attended each of the meetings. (Note: one of the 
co-chairs, Keith Fontenot, left OMB in early 2013.) With respect to my role on the 
committee, as discussed earlier, my co-chairs and I provided a neutral venue in which agencies 
could discuss interagency issues, primarily in support of the data services hub, which ended up 
going live quite successfully. 

My recollection is that in early 2013, the interagency Steering Committee moved to a process 
in which agencies were to ask co-chair and Federal Chief Information Officer Steve VanRoekel 
to convene a meeting if any interagency issue arose that required it, whenever required, with 
monthly meeting times held on calendars in case they should be required for such issues. As I 
recall, this development was spurred by progress agencies had made on interagency issues, the 
efficiency with which they were collaborating with each other directly, and the desire to 
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streamline governance mechanisms (a direction reinforced by the McKinsey “red team” 
exercise). I can recall a couple of interagency calls that happened subsequent to this 
development, which I do not believe were spurred by any specific issue, but rather were 
opportunities for agencies to check in on interagency work in general; my recollection was that 
agencies indicated that their collaboration was going well. 


17. As of the end of August, 2014, you are no longer the U.S. Chief Technology Officer. 
However, you are still employed by the Administration. 

a. What is your current formal job title and what are your responsibilities, including to 
whom do you report? 

b. What is your salary and from which office or agency’s budget is it funded? 

c. Does your job position require you to file a public financial disclosure report, and if 
so, which formfs)? 

Response: 

My current formal job title is Consultant. My responsibilities are to help attract more and 
more of the best tech talent in the Nation to serve in government (which is my current primary 
focus); to identify innovative ways to improve the quality of government digital services and 
provide advice on their optimal development and operation; and to help ensure that the 
AdminLstration has an on-the-ground sense of how technology is evolving and can craft policy 
and initiatives accordingly. Organizationally, 1 am located in the White House Office; as a 
practical matter, I work with and for a wide variety of people and agencies across government, 
including the United States Digital Service, the White House Office of Pre.sidenfial Personnel, 
and agencies seeking key tech leadership. 1 offered and agreed to not receive compen.sation in 
this cuirenf role, and I am not required to file a public financial disclosure report. 
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Questions Submitted by House Science. Space, and Technology Committee Ranking Member 
Eddie Bernice Johnson 


1. In his opening, Chairman Broun said, “We have been waiting a very long time to be able 
to question you, sir. 1 am sorry that we had to come to the point of issuing you a 
subpoena to get that to happen, but I am glad that you are here today, sir.” The 
Chairman continued, “In fact, the Committee has invited you several times before on five 
different occasions. We wrote directly to you, Mr. Park, as well as to the Director of the 
Office of Science and Technology Policy. None of those invitations elicited the “yes” 
response that we got as a result of issuing you a subpoena.” This introduction created 
the clear impression that you had been avoiding testifying on the Hill. I would like to 
give you a chance to address this allegation. 

a. Isn’t it true that you appeared to testify before the House Committee on Oversight 
and Government Reform on November 13, 2013? 

b. The White House sent the Subcommittee a letter (Enclosure 5) on September 16, 
2014 oBering to provide you to testify for a date in November. Despite this 
voluntary offer to testify you were given a subpoena to appear. In his closing 
comments, Chairman Broun said, “I am sorry we came to the point where we had 
to subpoena you to come before this Committee, but thank you for coming, even 
possibly under duress.” Was a subpoena necessary to get you to testify before the 
Subcommittee on Oversight on November 19, 2014? Did you appear under 
“duress?” 

Response: 

I did testify before the House Committee on Oversight and Government Reform on November 
13, 2013. With respect to appearing before the House Science, Space, and Technology 
Subcommittee on Oversight, I was prepared to testify before the Subcommittee without a 
subpoena at a mutually convenient date in November 20 1 4, and offered to do so, as indicated 
by the letter from the White House that the question references. 


2. In his opening statement. Chairman Broun questioned the claims of Dr. Holdren that you 
were not a cybersecurity expert. He described that “as an interesting description of you 
to say the least.” He continued, “You are the co-founder of athenahealth, which you 
co-developed into one of the most innovative health IT companies in the industry and 
become very wealthy in fact doing that. As a government employee, you helped launch 
the President’s Smarter IT Delivery Agenda, which created the new U.S. Digital Service, 
and you created the beta version of Healtbcare.gov. How do these activities not require 
cybersecurity expertise?” The Chairman’s rhetorical question deserves an answer. 

a. Would you please clarify how you could do all the kinds of things the Chairman 
references and (still) not be a cybersecurify expert? 
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b. Please succinctly explain the kinds of specializations that exist in the IT world that 
may allow someone successful in one area of IT to not necessarily know very much 
about another area of IT. 

c. Is it accurate to say that “you created the beta version of Healthcare.gov”, as 
Chairman Broun asserted? It seems that there is confusion about your work on 
Healthcare.gov while you were at HHS. Please clarify this matter. 


Response: 

As someone W’ho has led technology initiatives both in the private sector and in government, I 
have learned that the key to success is not to try to do everything yourself, but rather, to 
assemble the best possible team, composed of remarkable people who have expertise in each 
necessary area, rally them to a common vision, provide the conditions under which they can do 
their best work, together, and support them in that work. That is what I did at Athenahealth, 
where in many areas 1 relied upon the expertise of others. The world of technology, like many 
fields of professional endeavor, has developed multiple specialties, as opposed to requiring that 
everyone be equally adept at everything (which as a practical matter is not possible): 
specialties including various axes of software development, product management, project 
management, user experience design, data science, site reliability engineering, hardware and 
infrastructure engineering, cybersecurity, and more. 

With respect to the initial version of HealthCare.gov: as articulated in my written testimony 
for the November 19, 2014 hearing, in August 2009, 1 was asked to come serve as the U.S. 
Department of Health and Human Services’ CTO and “entrepreneur-in-residence.” My role at 
HHS was to serve as a technology policy and innovation advisor. As a special project, after 
the passage of the Affordable Care Act in March 201 0, 1 was also asked to lead an early effort 
to develop a website in 90 days that provided basic information about the Affordable Care Act 
and health coverage options. This website was the first edition of HealthCare.gov, and was a 
purely informational site; it did not contain a transactional marketplace in which people applied 
for health insurance. This early website went live very successfully on .Tuly 1, 2010. 1 should 
note that this website was subsequently essentially completely replaced in 2013 by the Centers 
for Medicare and Medicaid Services (CMS) with a new HealthCare.gov that incorporated the 
Federally Facilitated Health Insurance Marketplace. 
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3. Chairman Smith stated that, “Mr. Parh directed several contractors to review the 
security of the website.” 

a. Did yon have the legal or budgetary authority to direct contractors to do any 
specific work on HealthCare.gov prior to October 1, 2014? 

b. Did you ever “direct” any contractors to review security of the website? 
Response: 

To my knowledge, I did not have the legal or budgetary authority to direct contractors to do 
any specific W'ork on the new HeaIthCare.gov and the Federally Facilitated Marketplace prior 
to October 1,2013. I do not recall directing any contractors to review the security of the 
website. 


4. You have deseribed your relationship with Henry Chao and CMS in the development of 
HcalthCarc.gov as advisory in nature. The records provided to the Committee reflect 
that very clearly. However, we do not see similar records between you and Tom 
Shankweiler, the Chief Information Security Officer at HHS who was directing the 
security development for HealthCare.gov. Prior to October 1, 2013, how would you 
characterize your relationship with Mr. Shankweiler? 

Response: 

Prior to October 1, 2013, 1 can recall being in meetings where Mr. Shankweiler was also 
present, but had limited direct interaction with him in general. 


5. Mr. Park, Chairman Smith led a line of questioning regarding website risks and security 
and reports. The end result was that Chairman Smith issued a press release with the 
header, “Park Admits President Knew in Advance about HealthCare.gov problems.” 

The text of that release docs not elaborate in any way on this claim, or provide a 
particular quote from you, so it is difficult to know what “problems” the Chairman 
believes the President may have known of from your briefings. However, the claim is 
clearly rooted in Chairman Smith’s questioning. The Chairman made reference to the 
Red Team evaluation exercise you participated in and the Mackenzie report, and seemed 
to suggest that you should have known prior to October 1, 2013 the results of a 
Government Accountability Office report on cybersecurity of the website that was not 
available until the Summer of 2014. You did acknowledge briefing senior officials in the 
White House about the risks identified in the Red Team and Mackenzie reports. 

a. Can you succinctly summarize the Red Team and Mackenzie report “risks” and, 
to the degree you know, briefly describe the actions that were to taken to address 
those risks? Be very clear about which of these risk evaluations, if any, were 
about cybcrsecurity. 
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b. You mention that you believed there were two briefings for White House senior 
leadership where the President was in attendance. To the best of your 
recollection, how many briefings involved the President and when did these occur? 

Response: 


The McKinsey “red team” exercise in early 2013 identified both key risks to the Marketplace’s 
user-facing consumer experience and recommended actions to address those risks, which CMS 
agreed to adopt, with HHS and Wltite House support. For instance, to address the risk that the 
Marketplace and Hub would be unavailable due to system failure, the exercise recommended 
prioritizing and locking down remaining open requirements for version 1.0 of the Marketplace 
with rapidity, maximizing time for testing, and establishing an operations command center and 
response capability to deal with post-launch issues. To mitigate the risk that the Federal 
Marketplace would not be able to absorb large-volume State-based Marketplaces (e.g., NY, 
CA) at the last minute should those states run into blockers, the exercise recommended 
communicating with states that they needed to make definitive decisions by a near-term 
deadline about whether they were going to continue with State-based Marketplaces or go the 
Federal route. To the be.st of my recollection and knowledge, none of these key risk 
evaluations were focused on assessing the cybersecurity defenses of the Marketplace. 

With respect to briefings prior to October 1, 2013, with White House senior leadership where 
the President was in attendance, as referenced in the question, 1 can recall attending two such 
briefings - the first in April 2013 and the second in July 2013. 


6. At times during the hearing, Majority Members used your detailed knowledge about a 
single, specific matter— for example the effort to get more server capacity on line for 
October l—to assert that because you knew that matter so well you must have had 
detailed knowledge of the project across the board. Please explain again how your role 
as an advisor for HealthCare.gov put you in a position where you would have detailed 
knowledge about a specific issue, but still not be in a position to have the kind of detailed 
information that a day-to-day project manager would have? 

Response: 

As I discussed in my testimony, I was not a project manager who was managing and executing 
the day-in and day-out operational work of building the new HealthCare.gov and the Federally 
Facilitated Marketplace. This was the responsibility of CMS. I did not have the kind of 
comprehensive, deep, detailed knowledge of the effort that a hands-on project manager would 
have, and which I have had about other projects in my private sector work. Prior to October 1, 
2013, 1 assisted CMS with its work in a tew different capacities as an advisor, as described in 
my testimony, while executing my overall duties as White House technology policy and 
innovation advisor, working on a broad range of policy and innovation matters ranging from 
open data to fighting human b afficking. With respect to the assistance 1 provided to CMS, on 
a particular issue on which my assistance was requested, I would garner particular knowledge 
on that specific issue at that moment in time; however, I did not have the kind of detailed. 
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across-thc- board, ongoing knowledge of the project that a day-to-day, on-the-ground project 
manager would have. 

7. Mr. Johnson made reference to a campaign position advocated by then-candidate (or 
President-elect) Obama in which it was proposed that a Chief Technology Officer 
position would be created and, among the examples of their mission said that a CTO 
would “ensure the safety of our networks” and to ensure the “security of our networks.” 
Mr. Johnson then made a series of statements that took that proposal from 2008 as a 
factual statement of your responsibility as CTO. Never were you asked directly if 
establishing agency-wide cybersecurity standards was included in your portfolio when 
you came to the CTO Job in 2012. Nor did Mr. Johnson mention that the 2002 
£-Government Act actually created an office at OMB, the administrator of the Office of 
Electronic Government (and the two most recent occupants of this position have taken on 
the title of Chief Information Officer) with responsibility for many aspects of interagency 
IT policy, including ensuring computer architecture security across the government. 


a. When you came to the CTO job in March, 2012, were you tasked by the President 
with ensuring the safety and security of Federal computer networks? 

b. Based on your experience, was it the CIO at OMB who was charged with 
interagency cybersecurity responsibilities? 


Response: 

When I came to the U.S. CTO job in March 2012, 1 was not tasked by the President with 
ensuring the safety and security of Federal computer networks. It is my understanding that it 
was the CIO at OMB who was charged with interagency cybersecurity responsibilities. 


8. Mr. Cramer asked you about an email exchange with Ms. Snyder on September 29, 2013. 
I would like to give you a chance to lay out the context of this email-you mentioned 
hardware issues during the hearing— and how that was resolved? 

Response: 

As I recall, the thrust of the email chain was an effort to bring in additional hardware capacity 
to reinforce the Marketplace’s ability to support user load. Based on my conversations with 
CMS management at the time, my understanding of why CMS was moving to add more 
capacity prior to October 1 was due to the need to expand capacity given load testing results 
and in anticipation of high demand. CMS asked me to help facilitate getting additional 
hardware transported to the data center hosting the Marketplace in order to provide additional 
server capacity; I provided assistance as asked. As discussed earlier, my understanding from 
CMS was that the additional hardware was successfully transported to the data center and 
brought online. 
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9. Compare and contrast your involvement in IIeal(hCare.gov before and after October 1, 
2013. 

Response: 

With respect to the new HealthCare.gov and the Federally Facilitated Marketplace that 
launched on October 1, 20)3: prior to the launch, I assisted CMS with its work in a few 
different capacities as an advisor, as described in my testimony, while executing my overall 
duties as While House technology policy and innovation advisor, working on a broad range of 
policy and innovation matters ranging from open data to the fight against human trafficking. 
After the launch, as the extern of the operational issues with the site became clear, it became an 
all-hands on deck moment, and I, along with others, dropped everything else I was doing and 
increased my involvement in HealthCare.gov dramatically, shifting full-time into the 
HealthCare.gov turnaround effort, and working as part of the “tech surge” that radically 
improved the performance of the site. I worked as part of a terrific team, working around the 
clock, even sleeping on office floors. My particular focus was on helping to reduce the 
amount of time the site was down, improve the site’s speed, improve its ability to handle high 
user volume, and improve user-facing functionality. Our team effort drove massive 
improvement in the site, ultimately enabling millions of Americans to successfully sign up for 
health insurance through the site. 
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Enclosure 1 


From: 

Sene 

To: 

Subject: 


Snyder, Michelle (CMS/DA) <| 
Sunday, September 2^ 2013 6:22 PM 
Park, Todd 
Re; Discussfon pofftts 


Just so you know she decided in January we were going no matter what - hence the really crus! and uncaring march that 
has occurred since January when she threatened me with a demotion or forced retirement if I didn't take this on -do 
you really think she has enough understanding ofthe risks to fight for a delay - no and hell no - for just one moment let's 
be honest with each other. I appredate you belief in the goodness of others but at this point \ am too tired to pretend 
there is a dedsion to be made - it is just how much crap my team will have to take if it isn't sufficientiy successful - you 
haven't lived through the temper tantrums and threats for the last 9 months. 

OK - that felt good - - am now back to my role as no comment civil servant 

Delete this after reading - promise 

M 


Sent from mV BlackBerry Wireless Device 


— Original Message — 

From: Park, Todd (rnailto:|||||||||||||||^^|||||||||||||||^ 

Sent; Sunday, September 29, 2013 05:54 PM 
To: Snyder, Michelle (CMS/OA) 

Subject; RE; Discussion points 

Yes. got it. On the call with MT, Chris, and Jeanne MT said that appreciates the additional info we will generate 
tonight, but that she and she alone will make the decision to go or r>ot - which of course is right And the iwaY she is 
thinking about it from a performance standpoint is that tfenough of the additional hardware gets online to give us an 
insurance policy, she is comfortable proceedir^ with 90.000 concurrent users being far beyond the 50,000 that was t he 
CMS target. 

Because new hardware is going live on a rolling basis today and tomorrerw, I think we are in very good shape on the 
hardware front - and because the Miami equipment got here so early today, we've got a good shot at that being live 
and hetpHng os getto 90,000. 

Wiil be good tonight as per one ofthe questions for the 9 pm to get people's guesstimate ofwhat kind of traffic in 
general (order of magnitude) would be associated with a 90,000 concurrent user scenario, just so MThas that. 

And wiil also be good to understand the EIDM situation a bit better to see if that Is a separate bottiened^ with a lov/er 
concurrent user threshold? And if that's a possible threat to manitor. Again, just to inform MT. 

Goingto deliver cupcakesnow :) 


— -Original Message — 

From; Snyder, Michelie{CMS/0A} [mailto; 
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Enclosure 2 


From: 

Sent 

To: 

Cc: 

Subject 


Faschrng. Ldura <| 

Saturday, Sepfterr.b«2^ 2013 10:^ PM 
Park, Todd; Chao, ^temy (045/05) 

Fasching, Laura 

Rt How serious are you about using Homestead AFB to get the equipment to 
Culpeper? 


Glad to help, let me know ifyou need arrylhing else gentlemen © 
Laura 


Laura Fasching 

Director of Public Secttr Slmtogtc Accciests ! Vertec 


222 W L 2 S Colms Blvd, irvirg, Tewss. 75039 


rfenta* 


From: Park, Todd [maPto;( 

Sent: Saturday, SeptEmbs" 28, 2013 10:38 PM 
To; Fasdning, Laura; Chao, Henry (CMS/OIS) 

Subject RE: Hew serious are you about using Homestad AF0 to get itie equipment to Culpeper? 


Thatrs super -awesome Laura, thanks so very, very, very muchll!! 


From: Fasdilng, Laura TTnailto:| 

Sent Saturday, September 28, 2013 1Q;36 PM 
To; Chao, Henry (CMS/05); Parlt, Todd 
Cc F^sching, Laura 

Subject: RE: How serious are ycu about using Homestead PFB to g^ the equipment to Culpepe? 


Todd & Henry, 

The shipper is picking up the equlpmer^t in the next ^minutes from the Miami data center and we expect the shipmerit 
to arrive between 9;3[3 AM to 10:00 AM. © 


So Monday COB is looking good as long as we keep the shippers on schedule, as the build teams wili be working at S am 
with the equipment that was brought in today. 

Laura 


Laura Fasching 

Dirs clor of PubKc Sede r Straisgb AcotjoIs ] Vorizor^ Tarrerrafk 
222 y.' Las Cyiinss ew, IrArg, Texas, 75039 


From; Chao, Hwrry (CMS/OE) [ maii tot ^ 

Sent Saturday, Septetr^er 28, 2013 9:03 PM 
To; Fasdrlng, L^jra; Todd Y 
Subject Re: How serious are you about using Homestead AFB to get die equipment to Culpeper? 


1 got the approval from our COO and head of Contracts to go with the dQk option. ' 


1 
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Contracts said we wf!i have to vjorkout hov^ this caa be a tine you can biSintbe contract but no probiein figuring that 
outiater. 


Henr/ Chao 

Deputy Chief Informatton Officer and Deputy Director 

Office of Information Sendees 

Centers for Medicare & Medicaid Services 


7500 Security Blvd 
Eaitsmore, MD21244 




From: FasdiSig, Laura frnalltoji 
Sent Saturday, September 28 , ^313 PM 

To; Park, Todd <f|||||[||HmH|^^hao, Herey (CMS^IS) 

Cc: Fasching, 

Subject; RE: How s^'ous are you aboirt us^ Homestead ARJ to get the equpmeit to Culpeper? 


Ok great Henry can ! get confirmation that the Government wiB Pavfortheplwie? V/e have to get David SmaiJ's 
Approval so we wiii need to call him as soon as possible. 


Thanks andserry to rush you ail. 
Laura 


Laura Fsst^ing 

DiractorGfPiM^ec|or Strategic Acccunls [ Verizon Tertwrwrk 


222 VV Las Coilnas Bivtf. irvinu.Tsxjjs. 7S039 


From: Pad?, Todd frn53to;j 

Sent: Saturday, September 28, 2013 8:50 PM 
To: Fasching, Laura; Chao, Henry (CWS/OIS) 

Subject; RE: Hav sa’ious are you about using Homerfead AFB to get the eqiJpment to Culpeper? 


FYI, the private plane option I am pursuing would likey cost about the same as the Fedex expedite cargo p!3f>e option 
below. 


Henry, 1 think that delivery to the datacenter mid -day Sunday sounds really, really, really good.... 


From: feschlf^, l.flura [m 

Sent Saturday, Septemba" 28, 2013 PM 

To: Park, Todd; Chao, Hevy (O^S/OB) 

Cc Fasching, Laura 

Subject? R£: How serious are you about using Homestead AFB to get the equipment to Cuipeper? 
Importance: High 


Ok here is what i was able to do 

iwas able to get to FedEx custom Critical if>cycan drive it tousvlaa truck with pick up tonight® 11 S)0 PM (ishjand 
delivery arouf^d 9 PM on Sunday night for $3700.00 
Or 
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Toj Chao, Henry (CMS/OIS); Fasching, Laura 

Suiqecb RE: How serkKJS are you about uang Horaestead AFB to ^ the equipment to Culpeper? 

Laura, by when do you need to mate adecissjnaboutwhetoerto send \4a private ground, private cargo pfane, or Air 
Force (if Air Force is indeed an option?) 

And to confirm private grourrd would deliver the hardware on Tuesday fto be installed Wednesday?), private cargo 
plane would delK'er the hardware on Monday (to be.Histaj}ed Tuesday?}. With no possibility of accetera tton of those 
timetables? 


3 to get the equipment to Cui peper? 


From: Chao, Hestry fCMS/OIS) fmailtor^ j 
Sent Saturday, S eptember 26, 2 0U 7:29 PM ’ 

Tot laura.teschingjlHHMlHi 
Sutgect Re: How serious are you about using Homestead A 

Todd-it's in your hands new to make a quick decision. 

Henry Chao 

Deputy Chief information OfFreeranri Deputy Director 

Ot'fice of Information Servees 

Centers for Medicare & Medicaid Services 

7500 Security Blvd 

Baltimore, MD 21244 

I {Pri) 

(Alt) ' 

(BB) 


From; Faschmg, Laura f mailto:^ 

Sent Saturday, S^ember 28, 2QL3 07:27 PH 
To: Park, Todd Heriy (CMS/QI5) 

Sul^ect; RE: How serious are you about using Hwnsstead AFB to get Ihe equijxnsnt to Culpeper? 



We have been exploring that option toe but no luck so ter 


Laura Fasching 

Dlfe elor al Public Sodw Strategic Accounts | Verwe-n Tarrems** 
222^^8^SJS?8^!^. Irving. Texas, 75039 


FhO(n! Park, Todd [rr 

Sene Saturday, September 28, 2013 7:25 PM 
To; Chao, Henry (CMS/OIS); Fasching, Laura 
Sutiject: RE: How serous are you atout using Homeste a d AF6 to get the equipment to Cuipeper? 


Also: as another option to explore. In the interest of exploring all options simultaneooslv. Is It possible to arrange for 
heroic chartered private sector grour^d transpo.tatbn that could get going super -early tomorrow morni.ng and get to 
Culpeper by .Sunday evening? 


From: Pak, Todd 

Sent; Satonday, September 2S, 2Dl3 7:03 PM 
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To: ’Chso, Henry (CMS^OIS)'; ‘*3ura.fasching|||||||||||||||||||| 

Subject; RE: How serious are you about using Hornest^ AFB to get tbe equipmOTt to Culpeper? 


WH team responded instantly, is working on It as we speak andwti! get bad: to us A5AR. But they unfortunately are not 
optimistic, so we shouid explore other options in parelSel. 


Is there any possibility erf arranging for privste/coremcrdalcatgo plane transport? Chartered, even? 


From: Chao, Henry (CM5/OIS) 

Senb Saturday, Septsnfo^ 28, 2013 6:36 PM 
To; 'l3ura.fosd>ing||||^|||||^^ 

Cc Park, Todd 

Subject Re: How serious are you about using Homestead AFB to get Hie equipment to Culp 


iu&t tasked to Todd and he is going to talk to the restofWH^at can mate- this happen so Just reply with the confirmeD 
servooe to Homestead, 

Todd-let us know ASAP so iaura will send via ground if you can*! arrange for traftsport to someplace the Air Fora? can 
land near Culpepsr VA. 


Henry Chao 

Deputy Chief information Officer and [)epu'tY Director 

Office of Information Services 

Centers for Medcare & Medicaid Services 

75X Security Blvd 

Baltimore, MD31244 

I (Pri) 

(Ah) 

(BB) 


From: Fasching, Laura [maiitoJI 

Sent Saturday, September 28, 2013 06:09 PM 
To: Chao, Henry (CM 5/OI5) 

Cc: Pasching, Uure 

Subject: RE: How serious are yerj about using Hamestoad AFB to get the eeppment to Culpeper? 


Henry, 

We are working firming up the white glove shippers but once that is done we would be good to go. 

If we get the shippers scheduled and the equiprnent gets here tomo.TO'A* my engineers said they have the resources to • 
build it out and Just like we said before up by cob Monday. 

i will let you know about the shippers within an hour. 


laura 


Laura Fasehing 

Olrv c-UM-ofFiAttc Sgeto rSira:ccicAccf.»n;5 j Vernon Torrwnafk 
222 y-J kas Cedinaa Dh'd, irvrg, Texas, 75033 


6 
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Enclosure 3 


Workgroup Update 




} dependandcs fr om consent. _ 

j Marilyn Tsvenner has been engaged in the consent resolution conversations. 

1 • Details cannot be flushed out until these conversations are compiete. 

• CMS has been ordered a awaitthecofiiplctian of these discussions before 
detM'tTiinlng the necessary changes to the baseline schedule. 

Todd Paris, has been engaged in dsscossiw* onKISTtewe! 2lntor-mech3nscs. 


p 


CMS is fTioving forward wit! 
understanding, as weii. 

SS/t is intersstsd in unde^^^^-^.downstream ininsci 
integrated testing, as weB'a^wtin^Se^ ' 


fhich represents SSA’s 


! Scheduling 
i • Highes 


•sk to .^p^entadoa associated with.^aiting the h^gh- level decision, 
i as opposed to buiM^for the wc^^casc scenario; ^ • . 

[ o Broad risk: Schedule ^^^^lementshonrisfcsjgould be the largest 

:r?K.?;'Concems. The sche^e*^ents a risk of a 2-4 "week delay. 

O'.? Jhfttearr raustagreeSh^^the schedule risk is a priority and must find 
i -.twaystS^^ve the iesMI^S. from other areas, 

i o lfesunci€a.*'-att^e«hoiTict^^ctary is in discussion with or what the 

I - sUft^^f the di^?a^.ii 

-.'V^ 'O;. o Teamy^oi^t-dere w^kWie simultaneous development beween the 

•A legal is^^^the IT biiiicfasihe . higher level Issues ware being 

addresseS^ interagency team is not in full agreement on this Issue, 
i . T- o • •UavidBiack'^jiidlike the teams to continue making technoiogy 

^ piogress. 

; Clarification: identification Proofing vs. Consent 

J • •' Consehtiia legal issue, whereas, identityproufingisasolution and processthiit 

nseds to be established. 

‘ • SSA Is reS’ying o.i the privacy Act far legal authority on 10 proofing as there !s 

1 none provided in *hfe Act. 

/• . o legal tsa.m Is currenty working difs issue. 

■ • ' o IdentityproCifing would bebuijt in asa processforvorifyingan 

individual's iderstity. 

! • Prewous decisbn lo use two IRS challenge questions aj the threshold has been 

reconsidered and Is cjrrentJy being discussed. 

• Suggestion: A smaller group of key i-nd!vidva!s may need so reco.nvene on this 
tooic in 3^ weess including Marilyn because of l>er involvement with the 
scheduling. 

■ Integrated Project Plan 

» ITielPP needs aj!«!ad£fc^£ed before focusing on theschoriuie 


ACA Ewdiange IT Steering Committee Meeting Minutes, p. 2 
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Enclosure 4 


From: 

Senb 

To: 

Subject 


Snyder, Michelle (CMS/OA) < 
Thursday, OctobcJ 10, 2013 5:03 PM 


Park. Todd 
FW: Item 


A.Micbeile Snyder 
ChiefOperating Officer 
DHHS/CMS/OA 



From: Trenkle, Tony (CMS/OIS) 

Sent; Thursday, October 10, 2013 4:54 PM 

To: Snyder, Michelle (CMS/OA); Tavenner, Marilyn (CMS/QA); Kerr, lames T. (OIS/CMHPO) 

Sulgoct: RE; Item 

Here's the answer bdow, maybe more detailthanyouwanl, 

R-om: Schankweiler, Ttiomss W, (CMS/OIS) 

Sent: Thursdav, October 10, 2013 2.’08 PM 
To: Ftyer, Teresa M. (CMS/OIS) 

Ocj Ashbaugh, lason L (CMS/OIS); Linares, George £. (CMS/OIS); Outerbridge, Monique (CMS/OIS): Oh, Mark U, 
(CMVOIS); Chao, Henry (CMS/OIS); Warren, Kevin (CMS/OIS) 

Sulqect: RE; Admin passwords and insecurity in healthcare.gov 

Hello all, 

Hare Is the feedback regarding this Mquirv'. 

Statement: 

CMS fCIISGl aeknowledoes (he feedback bv the security community. Anatvsis of the code end a review of the 

operational environment has cenfiimad that the site is secure and operatina with low risk to consumers. 


The code that has been reposted to Pastebin and commented on by TrustedSec is in tended to be availableto the public, 
code as it makes the user interface (Ul)of the site function. By design, these ’resource bundles* contain aP of the non- 
personaliaed text the user wilt see throughout the site. There is noadmin level ID's or passwords located within the java 
script posted on-line. The coda base at CGI has also just been queried for strings such as “admin passw'ord' and 
'abcl23gov’ per the twitter saeenshot. No evidence was located that there is admin crfidenlial revealed. The person 
who reiweeted with ihe abc pas.sword is just being humorous. 

The XOC Security team and ihe SC.A test learn does run al! of the loots mentioned in the article, A lot of commented 
code was removed prior lo production, and the need to perfotm JS comment -removair'minitication/obfuscation is a 
roadmap ilem, ir: fad ii is scheduled tor release to the T8St2 environmetil tonight. Performing minificalion requires a lot of 
testing to ensure the application is not broken curing YUi compression. . As java scripts can be improved they wiil be 
refeass with subsequentbuHds. 

To the other points in the article Tlie marketplace does rwt use PHP so that is a non -Issue. The use of Captcha was 
con-sidered al ona lime, but removed to ensure 508-Compliance and to more imp<»tantly to remove burden on a 
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consumer as A Good Consumer Experience was a design con^efaUon. Also ihe concept of guessing !D’s to see if Itiere 
is a valid one or not is a known risk. Ws can look Into taking steps at tockin g down access controls further, but it would 
negatively effect the user-e.rperience. 


Regards. 

Tom Schank^veiter, CSSP 
Information Security Officer, CCilO 
CM5\OfS\C!iSG 

Consumer Information and Insurance Systems Group 
(Balt. Office, N2-1.S-22) 

(Mobile) 



From: Snyder, Michelle (CMS/OA) 

Sent: Thursday, October 10, 2013 4:41 PM 
To: Trenkle, Tony (CMS/OIS) 

Sulqect: Fw; Item 

Could yoLi take a look? 


Sent from my BlackBeny Wireless Device 


From: Tavenner, Marilyn (CMS/OA) 

Sent: Thursc^y, October 10, 2013 04:10 PM 

To; Snyder, Micheiie (CMS/OA); Kerr, Jamas T. (CMSfCMHPO) 

Subject: FW: Itent 

Wanted you to have this in case you want to have tony reach out to them 


From; Park, Todd r .Tattto| [ 

Sent: Thursday, October 10, 2013 2:11 PM 
To; Tavenner, Marilyn (CMS/OA) 

Subject; Item 


Marliyn, this got sent to me by someone who says these Evr/s are on the level 1 would suggest that the 
Marketplace IT security folks check it out (and potentially reach out to these guys as well) 


httP5://www,tfustsdsec.com/Qctober 2013/affordable health care website secure orobabiv/ 
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Enclosure 5 


THE WHITE HOUSE 

WASHiNGTON 

September 16, 2014 


l"he Monoiable Paul Broun 
Chainuan 

Subcomniitice on Oversight of the 
Comtnitlce on Science, Space, ami Tcchnoiog)- 
U.S, House of Rcprcsenlutives 
Wnshingioii, DC 20515 

Deiir Cliairman Broun: 

} luuicrsiand that last Friday the Committee on Scienfx, Space, mui Technology’s 
Subcouunitiee oji Oversight (thcSubcoituuittcc) noticed & September 17, 2014, business nrcciing 
to consider issuing two subpoenas. As tlescnlx'd in Uic notice, the SubcuTTirniilcc will consider 
whether ic issue a subpoena for Todd Park to appear w a hearing before the Suijcomntittcc, and 
whether to issue a subpoena for the production of some of Mr. Park’s records, during his former 
tenure in the Office of Science aitd Tcclaioiogy Policy (OSTP) as United States Chief 
Technology OfTtcer (CTO), rulaiiug to the healthcarc.gov website. 

I write in advance of the Subconunitlcc’s meeting to ensure you understand that the 
issuance of these subpoenas is unnecessary. Mr. Park will npjjeur voluntarily for a hearing 
before the Subcominitiee on a mutually convenient date in November to discus.*? your cxpre.s.scd 
interest in the heathcare.gov website. OSTP is willing to produce additional documents--- 
including the 1D2 pages proactively provided with thi.s letter - to further accommodate your 
■‘oRbrts to examine the safety, security and privacy of Amcrienn.'!’ personal data through the 
Obarnacare website.”’ The remainder of this letter discusses OSTP's efforts to etwperate with 
your oversight interests thus far, and OSTP’,s continued willingness to do so without any need for 
subpocitas. 

I understand that both the hill Comnuticc and the Oversight Subcommitlce have 
articulated their interest in the security ofhcaithcarc.gov as a desire for information about the 
meiUfures in place to defend the bcaiihcare.gov vs’cbsite against malicious cyber aitacks and to 
saf'eg;uard lljc persena} data of Americans. Chasnnan Smith initially wmte to Mr. Park to 

express interest In healihcarc.gov, the letter asked Mr. Park to address "what specific security 
siiuidards and technical measures arc in place to protect Americans’ privacy and persona! 
inforrnatittn that passes through the Heahheare.gov website, and what specific steps are in place 
to mitiguic scenarios in which the system is hacked, or personal inionnation is compromised or 


' Utter from the Han. !.amaf Smith, Paul Draan. M.D.. ana Laiy Bi.-eshon. M.lj,. jo tU Bon. John P. Holdren. 
DirecUjr^ OTite of Science and Techimlogy Policy (lyetcnsbcr 20, 2013) (hwcinaftei “DucemUr 20 LcUet'']. at 3. 
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IciikevL”' An enitul Train Coitimitwc staff to OSTP at about the same time expressed interest in 
cybcrsecurity issues more generally. Including a cybcrsecuriiy policy report that OSTP AssiKiatc 
Director PaSridti Falcone helped prepare.^ In the same vein, your December 20. 2013, letter to 
OS'fP referenced a hearing flic Committee held in November of that year to examine the risks 
shat otdinc criininfils i\nd identity thieves iniglit pose If they gained access to customers’ personal 
informaiion.'^ And more recently in January of this year, the Committee continued its focus on 
the .standards and technical protocols in place to defend against malicious cyber attacks in a 
second hearittg con\‘eneti on the same topic with ‘Hvhlle hat” hackers as witnesses.^ 

From the outset, OS'l P has been clear about the liinilations both it atrd Mr. Park face in 
attempting to respond to the requests for infom^ation and testimony concerning these issues 
iiiYotviny the development of security standards and the design of scenario.^ to respond to 
malicious intrusion attempts. As noted several times in prior correspondence, primary 
rcspoiwibiliiy for those tasks lies elsewhere — with the Centers for Medicare ami Medicaid 
Services (CMS) - and it is CMS that is in Use best position to provide complete, current, and 
accurate information regt^ding the security protocols in place to protect the website. 
Ncver.hcless, the record rellccts il«i OSIP has made subsiamial efforts to try to accommodate 
the Gcminiltee’s interest in security and to clarify Mr. Park’s role. 

OSTP has produced more than one thousiind pages of dt>cumcit(s; offered on muitipic 
occasions to have A.ssociatc Director Falcone testify at a Committee hearing on cybersecurity 
policy issues; made Mr. Park available for a meeting with you and Chairman Smith in your 
oftice, where Mr, Park was willing to address any questions pot to hint; and olTered to have Mr. 
Park brief all Stibcoinmittcc tncnibers. Tiirough these sitbstamial efforts at aecomtnodaiion, 
OSTP has attempted to help the Committee K'Ucr understmid Mr. Pork’s actual duties as the 
United States CTO and his role with resj>cci to hcallhcarc.gov. 

in particular, regarding the documents you have received, your letter of December 20 
asked OSTP to produce e very broad set of materials, including ail OSTP records concerning the 
Affordtibie Can; Act mtd healthcme.gov, scheduling iiii'omiaiion, record.s concentiog internal 
White Mouse briclings, and even documents that had not been cretued but might conceivably be 
provided to Congress in the future.* Confronted with this bix'ad request and a short deadline in 
the December 20 letter for responding, OSTP focused Its efforts to provide iiiformation on the 
issue dial was plainly of particular interest to fac Conunitiuc. namely, Mr. Park’s pariidpalion as 
one of three co-chairs on the hcalthcarc.gov Interagency Sitx-ring Committee. Your December 

• |j:uer Trum Uic l ion. Lamar Smith, Chairmai!. Coromittte uii Science., Spate, an-J Technology, loTcdti Turk, 
Assistant to the President and United States CTO<Oc'.otter 31, 20I3X at t. 

’ .I'imai! from H. Coniin. un Science, Space. & Technotoay Majority Staff to OS'l P staff (Oct. 28, 20! 3. 5:42 p.rrt.) 
(‘■i suspect we wotiid Kitich cm related s&sues nissd and addressed in the ‘CyberspHcc Policy Review’ and the Dec 
201 i report ‘Trustworiliy Cyberspsice; Strategic Plan for the Federal Cyhmecurity Resesreh and fX‘veioptnt.-!t 
Rvogymri/ noth of which were referred to in Dr. Holdrcn’s Icslimony lastbrc lUc Cummiltw in a ftti! uoiiwnittee. 
ovursiglit hearing on June 20,20!?.'‘) 

’’ December 20 l-cttijr, at i (■‘'ll'ie cKpcii Witnesses a! our Itearlng outlined the signifteasil rtsk of idcjititj' theft to 
Arriericans if hackers gained access lo their personal informalioa."). 

' Hi’iirmj.] Ik-j'orc! ilx II. Comm ooScianm-. Space, A Tech , 1 1 3lh Cong. 16. 2in-t) (heiviniiftcr, January Ki 

Hearint;.]. 

Decentber 20 Letter iti 3, 
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20 letter focused on this Steering Cominiitee mid its security and privacy subgroup — even going 
so far as to attach a drai'l charter for ihc Steering Commiuce.' 

Accordingly, in lt$ January J5. 2014, resfxinse, OSTP described the documents it was 
producing: fliosc concerning the Steering Cotnmittee and other ititeragency meetings that made 
reference uo security, which appeared to be of special interest to thcCominiUec.'^ OSTP’s 
January 1 5 letter also cxphunc d the* intcnigency coordination fuiKtian the Steering Committee 
sen ed, Mr. Park's role in it. ajid why Ws participation was not an indication that he had 
siibstantiai knowledge or expertise coucerning the standards or tcclmical protocols for dealing 
with nia!ici(jvi.s intrusions that arc Use focus of the Subconuniitee’s oversight ittqaliy. in the eight 
month.s following OSTP's production of these documents, tlie •Subcomminc'c expressed tio 
continued interest in lec.eiving additional documents, nor did it raise any questioas concemiiig 
ihc .Steering Committee niaterial,'; provided. Thus, you ctm understand why tlie abrupt notice of a 
husiiscss mceiiiig to consider a .subpoena for documents ca-me as a surprise. 

Despite OSTP’s etTorts at accommodation, it seems that the push to issue .subpoenas this 
foil nay unfortunately reflect a continued ntisumlcrstandingofMr Park’s Involvement in ibe 
security of the hcaiihcaro.gov w-ebsilc. This letter therefore provides additional ijstb.onalion. 
namely, adJitiona! OSTP documents beyond those alretsdy provided concerning tlie Inlenigcncy 
Steering Cotnmiltcc, concenung Mr. Park’s limited involvement in the security aspects of (he 
website, which are primarily handled by CMS. ITte enclosed documems can be grouped into 
throe categories. 

In an extension of his role with the Steering Committee, Mr. Park, and liis other co- 
Chairs were occasiouaily asked to assist in insiatKcs when While House personnel made requests 
to officials t»t HHS and CMS, One insUince whvn such assistance m\s sought involved a requwjt 
for a meeting on user eredcntialing and Identity-proofing from National Security Staff and Office 
of Management and Budget officials. The documcras themselves make dear that although the 
pariicular request for a.s.sistance was nmic fiom CM,S officials to Mr. Park, it wi$ another co- 
Chuir who provided assistance in uildressing that request.'-' 

SceotKi, Mr. Park wa-s tiskcd on a .small number of occa-sions to assist in obiaining 
iiifonnaiion from CMS and HHS personnel responsible fi?r security ofthc website. In that role, 
Mr, Park asked HI IS and CMS official to develop background points tle,scribing the 
cyber, security protections arul helped coordinate follow-up conversations between the HHS and 
CMS officials and cybcrsccurity experts both inside and outside the government. Again, the 
cm.'iils theniselve.s show that Mr. Park vvas not directly familitir with the development of 


’’ Sea ali'o January If) }leatingi,%mKinenta{\{ap. Paul flroun, MD.){''Ifs probably [sic] tkeuvarsigfit cotEimitiec 
of— •sukopimitme of ibis eor.imi«ee’sanciiiHin that there is— oral hast wns-anj .^f^oi•<iabic Care Act inf'nrmatioti 
tethmilogy exchange.-! steorng canmiticc IclwireCJ by senior VkQiite llouye oRicjals csiaWisfieU tack in May 20 i ’2, 
ulnu.is: a year and a hotf faetbre ihc roil out of Meahbcare.gov.''). 

‘ l.eiter from the (JoftM Pignaielli, Director, OSTP Legisiative AffisifS, to Uic Hon, l.amar Smith, Chaiiman, 
Cennmittee on Science. Space, and TethnoioBy (Jamiary 15, 20t4)[herciii«rief Janaary J5 l-citcr], at 3. .At 
Oiiairnian Smith’s rc.-ju';sl. OS'lP al.so produced ai! cooimenis tiisst it had ot that point provided tome Cominittes cm 
Ovursighl and Ouvenonent Reform. 

■’ fmait from Steven VanRoekuho J, Michael UauisI, etal fApr, 12, 2053,3:25 p.ni.l.enciyseii. 
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cybersecurliy defenses in place, but instead served as an intennediary and relied on the HlhS and 
CMS officials to provide I'ne substance of the inibrmalion he ihea passed on to others. 

Ihird, -sliorily before the Hrsf open enroHment period, Mr. Park also served as a Iini.son 
with cybcrscs“.uri{y officials at fO-JS and CMS in connecUon with e^ortt to explain publicly the 
cybcrsccurity protections for lltc health insurance niarkctplaces. This “spokesoian" iunclioit is 
one Mr. Park perfonned from time to time as CfTO with respect to technology issues gcncraSiy. 
Inrportartiy, the enclosed emails again cmifinn tliat Mr. Park was not speaking from direct 
persona! knowledge or experience on cyhcrsccursty — before pariicipaung ijs a press call, he 
solicited the relevant infornration from CMS cybersecurily personnel and sought to have them 
participate isi the call given his relative lack of fiiniUiarity with cybcrsccurity issues.” 

The information provided in and with Uiis letter is consistent with what OST? has 
previously explained: ihiit CMS is best po.silioncd to address the Subconrmiuec’s quesiiijn.s 
i-egardmg the security of the website and tliat Mr. Park has not been substantially involved in 
developing or mantdgiiig the ’'specific security standards and ceciuiical measures ... in pltjce to 
protect Anicrican.s*’ privacy and personal infonnation that passes through the Healthcare.gov 
website . . , More imporituuiy. if the Subcom.*nitiee desires additional information, there i.v no 
need to i'C.sort to .subpoenas, Mr. Park will be pleased to testify at a Subcommittee hearing in 
November. OSTP is also actively searching for additional records tliat may further iiluminaie 
Mr. Park’s relatively minor role on cybersccurity issues and is willing to voluntarily produce 
uddiiional documents to aid (he Subcommittee’s Inquiry. Please simply have your staff 
communicate the Sabcommittcc’s priorities in that regard to OSTP. 


Sincerely, 

W. .Neil hgglcsion 
Counsel to the President 




riTiafl from 'lo.-id P*i?k loTcny Trcnkle, et si. (Sept. 2. 2(.'i3, i:N p.fn.XvncloseU ("Wi Tony, infirsy sipoloi'ics fur 
imcrmpitti}' your Labor Day. but can you help Cbris with his follow-up question below (referetvee to 'current federal 
standards and how they exceed privasesector as well as track record of protcvtwn Ifoui anawk‘f‘).”J. 

" HfiVitil imm Todd 'I'Mk to To.ny Trenkic, si si. {.Sept, I?, 20i3,tt:S4 p.ir.,), cmclosed (''fve let Jtssicn knowthHi 
you juiys are iPs font o.'" tieuiied knowledge on CMS,7tHh cyber and that ! can talk tu it at a gwietal level only - she 
thLnks iluit will (ve OK on tS:c caii tomorrow, with detailed questions W !« rcfiTTcd to agencies.’'). 
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Written statement submitted by Rep. Eric Swalwell 

Mr. Chairman, first, I would like to take a moment to thank you for your service. 
You served two years as Ranking Member and four years as Chairman. During your 
tenure, you have always conducted your chairmanship with generosity and great 
courtesy. While we have not always seen eye-to-eye on the matters before the Sub- 
committee, no Member on this side of the aisle has ever had reason to complain 
about the way you have conducted yourself, and that has gone a long way towards 
keeping relations civil and even cordial in the midst of disagreement. Thank you. 

Today may be a day of disagreement, but I sincerely believe that if you conduct 
this hearing as fairly as you have your past hearings, that we will all emerge with 
a clear understanding of what Mr. Park did and did not do related to 
HealthCare.gov. 

Fairness is particularly important because this hearing has the feel of a trial. The 
only witness before us is Mr. Park. The title of the hearing implies that we are 
going to examine his involvement in the development of the Healthcare.gov website. 
Most significantly, a staff report released by you and Chairman Smith on October 
28 functions as a prosecutor’s memorandum that makes very damning allegations 
regarding Mr. Park’s honesty before the Committee on Oversight and Government 
Reform and Dr. Holdren’s candor in his replies to this Committee regarding Mr. 
Park’s involvement in cybersecurity. As a former prosecutor, I believe that the alle- 
gations you have made against Mr. Park could place him in legal jeopardy. He de- 
serves a chance to tell his story and put these allegations to rest, and I believe he 
can do that. 

Mr. Park is a successful entrepreneur in the IT world who took a break from de- 
veloping successful companies to come to Washington, D.C. to help the government 
and the country think of creative ways to use information technology to improve our 
economy and address important social problems. 

He is a patriot and the son of immigrants who have played their own role in keep- 
ing the American economy vibrant and expanding. Mr. Park’s parents are here 
today. Mr. Park’s wife is here today. Mr. Park’s pastor is here today as well as 
friends from the IT business world. I mention this to remind all the Members to 
not confuse their feelings towards the Affordable Care Act with Mr. Park as a per- 
son. He served the public and did his best and should be thanked for his contribu- 
tions. In fact, Mr. Park has returned to the Bay Area and is attempting to recruit 
other bright, innovative stars from the IT world to come to Washington and take 
a few years to try to make a difference for the good of the country. Good luck with 
that message after today, Mr. Park. 

I have reviewed a Minority staff report, which I ask be made part of the record, 
built on a complete review of the documents produced by the White House. The staff 
make a very strong argument, supported by White House documents, that Park did 
not have deep, direct, or intimate involvement in any of the work of developing the 
on-line marketplace launched on October 1, 2013 or the cybersecurity standards and 
techniques used for the site. 

If he was playing such a role, there should be monthly progress reports from con- 
tractors that show progress against deliverables and requirements, costs of work, a 
critical path analysis that identifies where problems threaten a successful launch 
and discussion of the integration process for the site across an army of contractors 
on the project. None of those documents have been produced because he was not 
the day-to-day manager on the project. Nor are there the kind of documents that 
the contractors doing the actual work would possess — which would include discus- 
sion of code, performance and testing results. Those documents can be found at 
CMS, which managed this complex acquisition, and among the contractors, who did 
the work, but not in Todd Park’s records. 

The records that did come to us make it very clear what he was doing: He acted 
to gather information when the White House had questions about the project and 
he acted to help CMS find resources when they asked for help from the White 
House. 90% of the records fall into one category or the other. Gathering information 
for the boss or to use as a spokesman or providing assistance to the actual managers 
sounds more like the kind of work our Legislative Assistants and Committee staff 
do than that of people deeply involved in a project. The record shows Park was not 
in charge of anything, and what he did do on healthcare.gov was about information 
aggregation or assistance at the request of others. 

'There is another missing element in the records the Committee has received from 
the White House: the thousands of pages of records related to Mr. Park’s full time 
job as Chief Technology Officer of the United States. Because we only requested 
records related to HealthCare.gov, it is easy to lose sight of the fact that his very 
limited work on Healthcare.gov was coming while he did a wide-ranging joh as CTO. 
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Park’s job was about trying to push technology throughout all levels of the coun- 
try to improve our competitiveness and quality of life. As just one example, he drove 
an initiative to find innovative methods to use IT and big data to combat human 
trafficking. I don’t think there is any Member who favors human trafficking — that 
is about as non-partisan an initiative as you can get. Park was working, full time, 
in a much wider swath of issues and areas than healthcare.gov. Members should 
never lose sight of that and get tunnel vision about Park simply because we have 
such a narrow set of records. 

I believe that if Mr. Park is given a fair chance to answer questions here today, 
that Members on both sides of the aisle will conclude that Park was not a principal 
actor in the development ofHealthCare.gov prior to October 1, 2013 and had no role 
in developing cybersecurity standards or techniques for the web site. Mr. Park, I am 
going to apologize to you now for the way you have been treated, and I am hopeful 
that you will get apologies from the Chairman by the end of this hearing. 
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Supporting documents submitted by Subcommittee Chairman Paul Bourn 


Congress of the flnittd States 

fiaasE of KtpEscntatiucs 

COMMITTEE ON SCIENCE, SPACE. AND TECHNOLOGY 

2321 Rayburn House OpFici: BuiiDiNG 
WASHfNGTON, DC 20515-B30I 
225-3371 

December 11, 2013 


President Barack Obama 
The White House 
1 600 Pennsylvania Ave., N. W, 

Washington, DC 20500 

Dear Mr. President: 

We write to request information and an explanation about what your Administration is 
doing to address the security risks and privacy concerns surrounding Healthcare, gov. During a 
teleconference with reporters on December 1, Mr. Jeffrey Zients, your National Economic 
Council Director-designate, stated that tire Obamacare website is “night and day from where it 
W'as on October 1” and tliat the website can now “support intended volumes” of users. ^ 

Though we appreciate the Administration’s efforts to address the flaws with the website’s 
capacity, we are concerned that the larger security and privacy issues remain unaddressed. 

While more people may be able to access the website, without much-needed security 
enhancements, this simply means that more Americans are vulnerable to online criminaks and 
identity theft. 

At a hearing before the Plouse Committee on Science, Space, and Technology on 
November 19, leading computer security experts from the private sector and academia outlined 
the significant threats posed to Americans by identity theft. One witness, David Kennedy, i.s a so- 
called “white hat hacker” who helps private sector companies secure their websites and data 
from online criminals. Mr. Kennedy gave a demonstration of real wrlnerabilities with 
Healthcare.gov, showing how hackers are attempting to access personal infomiation on the 
website. According to his testimony, not only is the website vulnerable, it’s under active 
attack. Even more troubling, Mr. Kennedy testified that there are “clear indicators that even 
basic security was not built into the Healthcare.gov website.” 

By design, Healthcare.gov interfaces with numerous federal, state and commercial sites 
and databases. The data passing through the Healthcare.gov website is one of the largest 
collections of personal information ever assembled, linking information from seven different 
federal agencies along with state agencies and government contractors. To gain information on 


’ t’BSNEWS.COM Slaft “HciUthcarc.gov improvvrmeiKs ‘night and day’ from October Iaundi.”CBS.Nt;WS.COM, December }, 2013, available 
at; hltp://wyv\v.cbsiiews.(XH7i/news.^hoaithcaregov-improvemen is-t iight-an(l-dav-from-flc‘obcf-launch/ 
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Mr. President 
December 11,2013 
Page 2 

potential healthcare coverage through the website, users must input personal contact information, 
birth dates and social security numbers, as well as income, tax and other intimate financial 
information. 

Although the website itself does not retain personal data, it transmits it to other sites. 
Without adequate security measures, Healthcare.gov essentially becomes a portal for online 
criminals to access even more sensitive, personal data maintained by the IRS, state agencies, and 
insurance companies that share information with the website. The size and scope of information 
sharing alone raises significant security concerns. 

When asked whether Healthcare.govhad been compromised by hackers, Mr. Keimedy 
testified that he believed the website already has been hacked or soon will be. Every single 
witness, majority and minority-invited alike, testified that Healthcare.gov is not secure. ,A.sked if 
they would have launched the website, the unanimous answer was “No.” Would they require 
front-end personal data disclosure on the site? Again, till four responded “No.” Finally, each of 
the experts said taking down Healthcare.gov should be seriously considered to address the 
security concerns and protect the personal information of users. Mr. President, your 
Administration has an obligation to ensure that the personal, financial, and account information 
collected as part of the Affordable Care Act is secure. 

Unfortunately, in its haste to launch the Healthcare.gov website, it appears that your 
Administration has cut corners that have left the website open to hackers and other online 
criminals. As a result, the personal information that has already been entered into 
Healthcare.gov is vulnerable to identity thieves. We already know of many attempts to hack into 
the system. If the security flaws go unaddressed, the more people who use the site will simply 
mean more Americans vulnerable to identity theft. 

In light of the concerns of online security experts, the following questions need to be 
addressed to ensure the safety, security, and privacy of all Americans’ personal data on the 
Obamacare website, 

1) Since October 1, what explicit steps has the Administration taken to improve the security 
of Healthcare.gov? 

2) Who in the Administration has been assigned to monitor, manage, and oversee the 
ongoing security needs of Heaithcare.gov? 

3 ) bias the Administration conducted thorough, on-going tests and monitoring of security 
and privacy vulnerabilities with Healthcare.gov — including hiring private sector 
“hackers” to test the website’s ability to guard against malicious attack and intrusion? If 
so, who conducted the tests and on what dates? What W'ere the operational details and 
specific results of these security tests? 
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Because of the seriousness of tlie threat facing users ofHeaithcare.gov, we ask that answers to 
these critical questions be provided to the Committee no later than December 1 8. 


Sincerely, 




Lamai- Smith 
Chairman 




Rep. Dana Rohrabacher 



Rep. Michael T. McCaul 


Rep. Paul C. Broun 



Rep. Steven M. Pal; 


Rep. Mo Brooks 



85 


Mr. President 
December 1 1, 2013 
Page 4 




Rep. Jim Bridenstine Rep. Randy Weber 



Rep. Cliris Stewart Rep. Chris Collins 



Mr. President 
December 11, 2013 
Page 5 

cc: Rep. Eddie Bernice Johnson 

Ranking Member 
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EXECUTIVE OFFICE OF THE PRESIDENT 
OFFICE OF SCIENCE AND TECHNOLOGY POLICY 
WASHINGTON, D C. 20502 


January 15, 2014 


The Honorable Lamar S. Smith 
Chairman 

Committee on Science, Space, and Technology 
2321 Rayburn House Office Building 
Washington, DC 20515 

Dear Chairman Smith, 

I write in response to your letters of December 1 1 and 20, 2013, which discuss the Committee’s 
“efforts to examine the safety, security and privacy of Americans’ personal data through the 
Obamacare website.”' At the outset, thank you for your recognition that the performance of the 
healthcare.gov website has improved, though you continue to express concerns about the security 
and privacy of the technological infrastructure that allows Americans to shop for and purchase 
high-quality, affordable health insurance. 

Your most recent letters are two in a series that discuss the Committee’s oversight interest in the 
security of the Federal healthcare exchange. As the Office of Science and Technology Policy 
(OSTP) has repeatedly explained, OSTP personnel have not been substantially involved in 
developing or implementing the Federally Facilitated Marketplace’s (FFM) security measures. 
Nevertheless, OSTP has tried to address the Committee’s intere.st, including offering to testify 
regarding cybersecurity issues generally, and we remain committed to working with the 
Committee on science and technology matters. 

Portions of your December 20 letter, however, indicate that you may continue to misunderstand 
which agency is responsible for the security of the FFM. As you know from our prior 
correspondence, primary responsibility for monitoring, managing, and overseeing the security of 
the FFM rests with the Centers for Medicare and Medicaid Services (CMS). Congress has 
received a wealth of information from CMS regarding the security of the FFM in both testimony 
and written responses, and I trust you have access to this information.^ CMS and the Department 


^ December 20 Letter at 3. 

“ See, e.g,, July 17, 2013 ~ CMS Administrator Tavetiner’s Testimony before the House Homeland Security 
Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies and House Oversight and 
Government Reform Subcommittee on Energy Policy, Health Care and Entitlements, Joint Hearing on Information 
Sharing and the 2010 Health Care Overhaul Law; Aug. 1, 2013 - CMS Administrator Tavenner’s Testimony before 
the House Energy and Commeree Committee, Hearing on Implementation of the 20 1 0 Health Care Overhaul Law; 
Sept. 11, 2013 -HHS Assi.stant Inspector General for Audit Services Kay Daly’s Testimony before the House 
Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, Hearing 
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of Health and Human Services (HHS) have explained that the privacy and security of consumers’ 
personal information is a top priority; that when consumers fill out their online Marketplace 
applications, they can trust that the information that they provide is protected by stringent 
security standards; and that, to date, there have been no successful security attacks on 
healthcare.gov and no person or group has maliciously accessed personally identifiable 
information from the site.^ 

Your most recent letter states that you seek information on the security and privacy of the FFM 
from U.S. Chief Technology Officer (CTO) Todd Park based on “his familiarity with the website 
while he was CTO for the US Department of Health and Human Services.”"* It is true that 
Mr. Park helped develop the initial version ofhealthcare.gov when he worked for HHS in 2010. 
But the first iteration ofhealthcare.gov on which Mr. Park worked served as a general source of 
information about the Affordable Care Act, healthcare insurance options, hospital quality, and 
prevention topics. It was not a transactional marketplace on which consumers could purchase 
healthcare insurance, and it bears little resemblance to the current version of the website. That 
first version of the website has been replaced by the current healthcare.gov website, which is the 
interface for the FFM, and — as is well known — was developed by Federal contractors under 
CMS’ supervision. As OSTP has explained, CMS is best positioned to discuss the security of the 
FFM. 

Your letter also seeks information from Mr. Park about the security ofhealthcare.gov based on 
his role, as one of three co-chairs, in the Interagency Steering Committee. The Steering 
Committee focused on interagency coordination of the healthcare exchange and, in particular, the 
“data services hub” that facilitates communication among Federal and State agencies in 
connection with the purchase of health insurance by customers. As even the document attached 
to your December 20 letter makes clear, the agencies actually developing the hub, particularly 
CMS, IRS, and SSA, were assigned lead responsibility for working on data privacy and security 
harmonization issues that required interagency coordination. Making these agencies responsible 
for the security of the FFM made practical sense and was consistent with the applicable legal 
framework: that is, each Federal department and agency retains primary responsibility for 
securing and defining its own networks and critical information infrastructure.^ As OSTP has 
explained before, OSTP personnel have not been substantially involved in developing or 
implementing the security measures in place to protect the FFM. 


on the Health Exchange Data Hub; Oct. 30, 2013 — HSS Secretary Sebelius’ Testimony before the House Energy 
and Commerce Committee, Hearing on the 2010 Health Care Law Enrollment Issues; Oct. 29, 2013 - CMS 
Administrator Tavenner’s Testimony before the House Ways and Means Committee, Hearing on the 2010 Health 
Care Law Enrollment Challenges; Dec. 1 1, 2013 - HHS Secretary Sebelius’ Testimony before the House Energy 
and Commerce Subcommittee on Health, Hearing on the Implementation of the 2010 Health Care Law. 

^ See House Energy and Commerce Minority Memo of December 13, 2013, summarizing HHS briefing, 
http://democrats.energvcommerce.house.gov/sites/default/files/document5/Memo-ACA-Securitv-Briefing-2013-12- 
13. pdf; see also Healthcare.gov Privacy Policy, https://www.hcalthcare.gov/privacv/ . 

'' December 20 Letter at 2. 

^ See, e.g., Nov. 13, 2013 - Department of Homeland Security Acting Assistant Secretary Stempfley’s Testimony 
before the House Homeland Security Committee, Hearing on Data Security as it Relates to the Federal Government 
Website, HealthCare.gov, and the 2010 Health Care Law. 
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Nevertheless, in a further effort to accommodate the Committee’s interest in this area and to help 
clarify the role of OSTP personnel, we are providing with this letter documents regarding certain 
interagency meetings, mainly the meetings of the Interagency Steering Committee, including 
agendas and associated materials that make reference to security. (Staff on Chairman Issa’s 
committee appear to have given some of these materials to you already, but we are producing 
them here at your request and for your convenience.) Nothing in the enclosed documents 
indicates that Mr. Park had a substantial role in developing or managing the security aspects of 
the FFM; they only serve to confirm that a briefing from Mr. Park on those issues would be 
neither informative nor productive. 

Finally, your letter states that the Administration has rejected three invitations to testify before 
the Committee and incorrectly asserts that OSTP raised Executive Privilege concerns in response 
to these invitations. To the contrary, OSTP has repeatedly made efforts to address the 
Committee’s stated oversight interest in the safety and security of the FFM. On at least four 
occasions, OSTP has offered to provide one of its two Senate-confirmed leaders, OSTP 
Associate Director for National Security and International Affairs Patricia Falcone, to testify. 

Dr. Falcone does not have specific knowledge of the data-security standards in place for 
healthcare.gov, but she is knowledgeable about general cybersecurity policy issues, including a 
cybersecurity report that your staff identified as relevant to its inquiry when first seeking an 
OSTP witness to testify before the Committee.* To my knowledge, OSTP has not mentioned or 
relied on a claim of Executive Privilege. Reviewing OSTP’s prior correspondence with you and 
your staff, I see no mention of it, and Dr. Holdren does not recall referring to it in his 
conversation with you. The Committee has not addressed the previous offers that we have made, 
but OSTP has been — and continues to be — willing to accommodate the Committee’s oversight 
interest by having Dr. Falcone testify on general cybersecurity policy issues. 

1 trust you will find the additional information we provide with this letter helpful. OSTP will be 
addressing the questions posed in your December 20 letter regarding the Presidential Innovation 
Fellows program under separate cover. In the meantime, OSTP looks forward to continuing to 
work with you on science and technology issues. 


Sincerely, 



Donna M. Pignatelli 
Legislative Affairs Director 


^ Email from H. Comm, on Science, Space, & Technology Majority Staff to OSTP staff (Oct. 28, 2013, 5:42 p.m.) 
(“t suspect we would touch on related issues raised and addressed in the ‘Cyberspace Policy Review’ and the Dec 
2011 report ‘Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development 
Program,’ both of which were referred to in Dr. Holdren’s testimony before the Committee in a full committee 
oversight hearing on June 20, 2012.”) 


i 
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cc: The Honorable Eddie Bemice Johnson 

Ranking Member 

Committee on Science, Space and Technology 
Enclosure 
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EXECUTIVE OFFICE OF THE PRESIDENT 
OFFICE OF SCIENCE AND TECHNOLOGY POLICY 

WASHINGTON, D C. 20502 


January 15, 2014 


The Honorable Lamar S. Smith 
Chairman 

Committee on Science, Space, and Technology 
2321 Rayburn House Office Building 
Washington, DC 20515 

Dear Chairman Smith, 

Thank you for your letter of December 20, 2013, in which you requested information about the 
Presidential Innovation Fellows (PIF) program. The PIF program pairs top innovators from the 
private sector, non-profits, and academia with top innovators in government to collaborate during 
focused 6-12 month “tours of duty" to develop solutions that can save lives, save taxpayer 
dollars, and fuel job creation. 

The first round of five projects was launched in August 2012 with 1 8 inaugural Fellows. For that 
first round of Fellows in 2012, OSTP worked with agencies to identify potential projects, 
launched the PIF program and solicited applications, and forwarded all applications to 
participating Federal agencies. Federal agencies then conducted reviews and interviews of the 
applicants, identified relevant skills and expertise, and directly hired Fellows to work on projects 
aimed at supporting entrepreneurs, small businesses, and the economy. 

For the second round of PIFs, OSTP gradually transitioned the program to GSA’s management. 
The two agencies jointly coordinated the application process, and GSA managed the hiring 
process, selected the PIFs with significant input from the agencies sponsoring the PIF projects, 
and assigned Fellows to agencies as detailees on a cost-recoverable basis. Going forward, GSA 
is expected to administer the PIF hiring process. 

You also asked specifically about PIFs at The Center for Medicare and Medicaid Services 
(CMS). As part of the “tech surge” announced in October 2013, CMS brought in top experts 
from both inside and outside government to help improve healthcare.gov. This “tech surge” 
includes two PIFs employed by GSA and detailed to CMS under fully-reimbursable detail 
agreements. The Fellows were selected on the basis of specific technical skills that had been 
identified by the healthcare.gov team as high priority needs, including large scale platform 
development and identity management. The two Fellows working at CMS are scheduled to 
complete their details in approximately one month, on February 14, 2014. 
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OSTP looks forward to continuing to work with you on science and technology issues. 

Sincerely, 



Donna M. Pignatelli 
Legislative Affairs Director 


cc; The Honorable Eddie Bernice .Tohnson 
Ranking Member 

Committee on Science, Space and Technology 


2 
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UWABS. SMOH.Tbxss 
CHASBMAN 


EDDit BcHNICfc JOHNSO-M, “es^as 
RANKING MEMKR 


Congress of the lanlted States 

ilousc of llepftscntatiDts 

COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY 
2321 Rayburn House Office Building 


WASHiftiGTON, DC 20515-6301 
1202) 225-6371 

ww.v.Kie-ice.hrHJse.gew 


December 20, 2013 


The Honorable Joim P. Holdien 

Assistant to the President for Science and Technology 

Director, Office of Science and Technology Policy 

The White House 

Washington, DC 20502 

Dear Dr. Holdren: 

At a hearing held on November 1 9, the Committee on Science, Space, and Technology 
received troubling testimony' &om online security experts regarding the flaws and vulnerabilities 
in the Obamaeare website that put the personal data of Americans at risk. The expert witnesses 
at our hearing outlined the significant risk of identity theft to Americans if hackers gained access 
to their personal information. One of the witnesses, Mr. David Kennedy, is a ‘white hat hacker’ 
who gave a demonstration of real vulnerabilities with Healthcare.gov, showing how hackers are 
attempting to access personal information on the website. According to his testimony, not only 
is the website vulnerable, it is under active attack. Even more troubling, Mr, Kennedy testified 
that there are “clear indicators that even basic security was not built into the Healthcare.gov 
website.”^ 

The Administration’s recent efforts to address the flaws with the website’s capacity do 
not appear to address the larger security and privacy issues raised in our hearing. According to 
Mr. Jeffrey Zients, who is in charge of fixing the website, the Obamaeare website is “niglit and 
day from where it was on October 1,”^ and it is now' “stable and operating at intended capacity 
with greatly improved performance.”'' Unfortunately, the improved performance does not 
include much-needed security enhancements, meaning that more Americans could now be 
vulnerable to online criminals and identity theft. According to a blog post by Mr, Kennedy, “Out 


’ House Committee on Science, Space and Technology tiearing, ''Is My Data on Healthcare.gov Secure?" 
November 19, 2013, available at: http: //sc ience-housc.gov/l'iearma'Tun-committee-hearing-mv-data-healt]'icaregov- 
secure . 

" Testimony of Mr. David Kennedy, CEO, TrustedSec, at House Committee on Science, Space and Technology 
hearing, “/s A'fy Data on Heallhcare.gov Secure?'"’ November 19, 2013available at: 
http:/7science.house,gov,'heanngj'fun-c<jm mittee-heaTing“ niv-data-healthcareeov-s&cure . 

" CBSNEWS.Com Staff, ‘TTealthCare.gov improvements ‘night and day’ from October Launch,” 
CBSNEWS.COM, December 1, 2013, available at: http://^'w>^ucbsnews-Com/news/hea]thcare2ov-itTiprovements- 
ni.ght-and-dav-ffoiTi-actober-launch . 

“ Ibid. 
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of all of the reports, there were no mention to security concerns or addressing the \Trlnerabilities 
identified in the healthcare.gov website... a number of undisclosed exposures have still not been 
addressed and exist today. 

Through its jurisdiction over the White House Office of Science and Technology Policy 
(OSTP), the Committee sought to hear from Mr. Todd Park, OSTP’s Chief Technology Officer 
(CTO), given Iris familiarity with the website while he was CTO at the US Department of Health 
and Human Services (HHS). As you yourself stated upon his hire to OSTP, while at HHS, Mr, 
Park “led the successful execution of an array of breakthrough initiatives, including the creation 
of HealthCare.gov.”® 

Additionally, according to the OSTP website, the Administration and OSTP are 
committed to advancing policies that will “safeguard the privacy of every American by 
strengthening digital security systems and holding governments and businesses accountable for 
violations of personal privacy.’ 

Notwithstanding Mr. Park’s backgroimd and leadership position withm OSTP, the 
Administration has now rejected three invitations to Mr. Park to testify before the Committee. 
You stated in a recent phone conversation with Chairman Smith that Mr. Park’s testimony would 
rai,se claims of Executive Privilege - despite the fact that Mr. Park already testified before a 
congressional committee on November 13.* Your staff has similarly suggested that Mr. Park’s 
activities are protected by Executive Privilege, begging the que.stion: does the Administration 
intend to invoke such a claim? 

You also stated in your November 26 letter to Chairman Smith that Mr. Park has not been 
involved in the security issues of the Healthcare.gov website. That assertion appears to be 
contradicted by the fact that Mr. Park was one of three Wiite House co-chairs of the Affordable 
Care Act (ACA) Information Technology Exchanges Steering Committee (see Attachment 1). 

The stated mission of this Healthcare.gov Steering Committee is to support the timely 
and efficient resolution of barriers to assure the implementation of “consumer-centric” health 
insurance exchange.s. The Steering Committee’s Charter explicitly directs the participants “to 
promote resolution of key IT strategy and policy issues that impede progress on Affordable Care 
Act activities across the federal government and with the stale exchanges,” and to “direct the 
formulation of work groups to identify barriers, develop and identify promising practices to 
support efficiencies, and develop option papers for the Committee’s consideration.” (Attaclunent 


^ David Kennedy, “Healthcare.gov Operational - Security' concerns not addressed,” TnistedSec, December 2, 2013, 
available at; bnp$:.dwww,trustedsec.coni,/december-20t3/Iiealthcare-gov-ODcrational-.secu ritv -concerns-nQt- 
a ddressed . 

John Holdren, “Todd Park Named New U.S, Chief Technology Officer,” The White House Blog, March 9, 2012, 
available at: http:/Avww.vvhitehouse.gov/bloe/'2012.^03.tQ9/todd-Dark - named-new-us-chjef-technologv-Qfficer . 

’ OSTP w'cbsite, “Technology and Innovation,” available at: 
httD:,l/ww'VV,wh ite house .g ov/adminTStration,teop/ostp/divisions/technoloev 

® House Committee on Oversight and Government Reform, “ObamaCare Implementation: The Rollout of 
HeaUhCare.gavf November 13, 2013, available at; httpr-l/oversiaht -house-gov/heariiig/ob amaca re-l mplenientation- 
rollQut-health c.a rc-gov. t. 
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1). The ACA Exchanges Steering Committee directly oversees both security and privacy 
interagency working groups (Attachment 1). 

From documents provided to Congress, it also appears that this White House-led Steering 
Committee canceled several meetings scheduled over the course of the past year following an 
April briefing on a 'ftTiite House-requested report by McKinsey & Company that warned of 
“various problems with the exchange, including limited testing time and resources before the 
launch,”^ After repeatedly cancelling Steering Committee meetings for five consecutive months, 
the White House Steering Committee met again only weeks prior to the launch of the 
Healthcare.gov website on October 1 , But as we now know, those actions were too little and too 
late. 


It is logical to assume that security and privacy responsibility resides at the highest 
level of government. The data passing through the Healthcare.gov website is one of the largest 
collections of personal inlbrmation ever assembled, linking social security numbers, birth dates, 
tax and other financial information from seven different federal agencies, along with state 
agencies and government contractors. We are troubled by the fact that the President either did 
not know, or did not care, that the personal and financial data collected as part of Obamacare is 
not secure. 

The Committee will continue its efforts to examine the safety, security and privacy of 
Americans’ personal data through the Obamacare website. Part of those efforts includes 
oversight of OSTP’s role in the Healthcare.gov website. To that end, please provide the 
following docutnents from your agency by January 3, 2014: 

(1) All schedules and scheduling information (as defined in Attachment 2) for Mr. Todd Park 
since arriving at OSTP tluough the present on topics involving the Healthcare.gov 
website and related issues. 

(2) All records and emails (as defined in Attachment 2) to or from any and all OSTP 
employees, including Mr. Todd Park, regarding the ACA, Healthcare.gov, or the ACA 
Information Technology Exchanges Steering Committee. 

(3) All records and information regarding any and all briefings (as defined in Attachment 2) 
with, the President and/or White House staff on Healthcare.gov and related issues. 

(4) Copies of all records provided in the past, as well as those expected to be provided in the 
future, by OSTP to other congressional committees in response to any ACA or 
Healthcare.gov document requests. 

In responding to the Committee’s request, please provide a Vaughn Index for any 
redactions or documents withheld from us. Specifically, for each redaction and document 
withheld on the basis of an established and accepted privilege, please provide a log containing 
the following information: 


” Jim Acosta and Dana Davidsen, “Private consulting firm warned of glitches before heaithcare.gov launch,” CNN 
Politics, November 19, 2013, available at: http://politicalticker.blogs.cnn.eom/2Qt 3/ l 1/i O.’private-consalting-fl rm- 
warned -of-alitch e s-before-healthcare-gov-launch . 
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(1) the privilege asserted; 

(2) the type of document; 

(3) the general subject matter; 

(4) the date, author, and addressee, and 

(5) the relationship of the author and the addressee to each other. 

In addition to these documents, please also provide responses to tire following questions 
by January 3, 2014: 

1 ) As previously mentioned, in your phone conversation with Chainnan Smith, you stated 
that Mr. Park’s testimony would raise claims of Executive Privilege. Please confirm this 
assertion, and if you intend to invoke such a claim, please clarify whether you are basing 
it on Mr. Park’s position as CTO at OSTP, or as Assistant to the President? 

2) Please explain Mr. Park’s relationship relative to the Presidential Innovation Fellows 
program. Please also provide details about which Fellow's have been tapped to work on 
the Healthcare.gov w'ebsite as part of the ‘tech surge’ to fix its problems. Your response 
to this question should include the names of the Fellow’s, who selected them to work on 
tire website, when tliey started work on the website, whetlier tliey are still working on it 
and how much longer they are expected to w'ork on it. 

3) Finally, please direct Mr. Park to make himself available to Committee staff for a briefing 
on his involvement w'ith the website prior to and subsequent to the October launch 
date. Please ensure that this meeting takes place before January 10, 2014. 

In its haste to launch the Healthcare.gov website, it appears the Obama Administration 
cut corners that leave the site open to hackers and other online criminals. As a result, Americans 
who have already entered personal information into Healthcare.gov are vulnerable to identity 
theft. We already know of numerous attempts to hack into the system and can only assume 
many more have gone unreported. Unless the Obama Administration takes swift action to 
address security, it is likely the worst is yet to come. 

If you have any questions, please have your staff contact Raj Bharwani, Subcommittee on 
Oversight Staff Director, at (202) 225-6371. 

Sincerely, 

Paul Broun, M.D. Larry'weshon, M.D. 

Chairman Chairman 

Subcommittee on Subcommittee on 

Oversight Research & Technology 


Lamar Smith 
Chairman 

Committee on Science, Space, 
and Tecluiology 
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cc: Rep. Eddie Bernice Johnson 

Ranking Member 
Committee on Science, Space, 
and Technology 

Rep. Dan Maffei 
Ranking Member 
Subcommittee on Oversight 

Rep. Dan Lipinski 
Ranking Member 

Subcommittee on Research & Technology 
Attachments 
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!. Purpose 

This Gliarter establi^hes the Affordable Care Act ITjBxchanges Steering Comiliittee 

(Steering Caramittee) as a coUaborafive body aiid. ^a/veftue.foi: seeking resohition of 
pereistelit Interagency challenges and dcjiBivdehcieS rebite^ ta'tlieimpleuieiJtation of 
QxchangES in support of the Affordable- CarqAet.- 

Thts docpmeiiCoutlmes tlie-iuissioa,. scopc-and r-esponslblljties oftiie Steering Committee, 
identifies menibership and support stnibtiii'eSj and defines, key processes and pfqcedjires . A 
Health Exchange Execunve. Secret^'i^t C^ccutiYe SecretaWat) bas: been established as an 
agent: of the Cornmittee to \y6rk with Agencies to: projects fully, aligfi ■undei'tbe 

Atfoi-dable Cai'e Act in pirovidiilg a streamlined and.;seamless jnierfaee. w the Ainerica 

public and affected iiidustties that \vill be iija'paGted by theiinplementation of tlie health 
insurance exclianged under the Affordable Cave Act,. 

11. Mission 

The primary mlsstoii of the Steeritig Committee is to support' the tiniely and efficient 
resolution of baiTiets while ensuring tlie realizatibn of fiilly dperatidiial health: ihsurancci 
exchanges mandated under tbe Af&rdiible Care Act. The Steering Committee will (a) address: 
key Exchange infoiruatioii sharing policies amt bacri:efs, (b) workwith ITcpartine^ta^ 
AgcncieSj and other stakeholdei's. as nccessaiy on the impiementafipn and :«ecu.tioh of Healtli 
Insiuance Exchanges. 


ill. Scope and Responsibilities 

Steedng Comniittbe 

The^ Steering CohPhittes shall, provide a fbriiin for seeking resoitidon of inTCragehey 
challenges aild to fiutlier promote interagency aligumcnis to assure tbe iniplemeiUatioii of 
consumer-centric .health liisumhce -exchanges- under the Affordable Caie. Act Tlie^Steeriug 
CorainiEtee can, designate the-ExcGUtivc Secretariat toact on Its behalf to , meet these functions, 
The Steering Committee shaU: 

* Faci.litatcititcj-agency dlscussibii$ id. pi'oiilotc resolution to key iT st'ategy'and policy 
issues tliatiinpede progress on Affordable Care Act activities across the federal ^ 
goyeniinent and Avidi the state exchanges 

® Direct tlie foninilation of worlc groups to idehdfy barriers, develop or Idciitiiy . 
promising practi0e5 to suppoit efficiencies, and, develop option papers for the: 
Gommitfee'’ s-\cojisideratiou. 


.ACA IT. Exchanges Sfe e nEg C' QminJtbk Charter 
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* The,Stea:nig Gomniittee will me;^:monthlyj6r more fmqueridy avs cleemed necessaiy 
by the . Executive Seoretaiiai,. be.gmiimg rD May 2012;!^qugh MareU The 
mcetilig frequency iiiay be altered hy the agreeiii.CTf bf die Steering GoinunttGc CQ- 
Cliairs,. Beginning in Apii! 2014j.lheSteermg CbmmMtee; will meet on an ad hpe basis 
as advised by the Executive Seprqtsriat br^requMfcd by the Co-0iairs until itis the 
coiiBensiiS :of tlie fleering, GomibJtt'ee.ihetobierS tha t the Exchait^ pdsblmpietnentation: 
issues have been sufficiently surfaced- and addrsesed., 

Executive Secretariat 

The Executive Secretariat repbits to tiiC cp-ebaifS: and will support,, cooidinatej and act as a 
liaison. be.twe.e.ii the Steering CbinhiittP? 4^4 pe^itiheiits.-, 

iliC Executive Sbcidtaiiat Wii) lem'ain ppei'atioiiai; dtroi^h. January 2015.pt undf.ii ktjiP: 
consensus pf the Steering Committee. inetnfa.ers lhat-'the- Exchaii^e post-'imp.lemeaitatioh issues 
haye^ been sufficiently surfaced, and addffessed: 

® Eead:. HHS Program MaDagcmentphicciOfBcG of the Chief Infoniiatibn Officer 

• .Members: CMS, IRS, SSA 

TlveExecutlve Secretariats cord functions will be .as follows;.. 

• Wbrk'W.irii the desigiiated workgroups' to identify intemgcncy ITpblicy issues, for the.. 
Steering Couimittee^s donsidefab'on 

RespOBsible for tracking ^nd'rcporilt!^, progress of indi vidual workgroups aiid 
etevatiug workgroup concerns, to the. Steering Committee. 

* Share rs.cornmeiidation ■fi'btti the Steering Goinmittce with Workgi-oUps alid Agelipiesj 
distribute and support the iinplemeiitniion of these recommeudalibas. 

« \Vork- closely with Agcucics aud stekcboldcrs to develop and iterate the pians fef 
tesollitibn of chall.eiigiis. h appropriate. 

A^nnies ooTitlniie to coordiiiatc ACA IT exchange. project governance and oveisigh.t 
f!inctjbh5i within their respective- oi:g-aTii?.atioBS and work directly witji their .IT project leiuii<s to. 
'ensuf® PGifatihaDce and alignment wdth .Uie.Steeriug Committee recotruneudaliotis as 
appropriate; 


ACA .IT 'Rxchauge& Steering CtunmiUe^.Cliarter 
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Woi'kitig Groups 

Data Sharing and Privacy 

^ Objectives: Sti'cainlining data bsc^l^bsmebis-aild'creabng a uiiifDrni;0'o^c^^^^ for 
■developing and maintaining coniputer j^tching ftgreemehls, datfi uSe agiccjnentSi 
ICAs, coiiseut fonns^ etc.. 

-* Lead: Janet Mineij IRS' 

• Members: HHS, SS A^: Oif S* VA, OP&L Do’D, Peace Corps > 

Security Haraioiiizatign: 

"i. Objectives: Cpqrdiiiate uiuforni.proc^ .id harmoiuze security end strcainline 
negotiations/doGijmsntation of new igj^Tiieiife widiin and across eacli agency 
» Co-Leads: Tim May, SSA &: Tpni S'cbBjilnyejieiv CMS 

• Members: VA, DTIS, Peate .Gpips, QPM 

Operational Oversight 

• Objective: Provide a cleariiigboose for issuesdieeding to be analyzed ^d iesolvcd 
among agcncicsfortlldseissuesnot'c-overed by otber more specific workgroups,, 
issue Uackiug and eyecuticn of ctiniinoa piibritics in a bmely/effective manhei;,. 
and ip; assure the maximal alignment with the vision for a cohsbiner^entiie 
insuranee. excbaiige 

Go-Leads: Jim Kcit, CMS, 'Wanda Browii (IRS) 
r- Membci-s: IIHS; IRS. VA, DHS, Peace. Coips,; .DoD, OPM: 

iV Membership and Reporting Structure 

The Fedeiat Chief Infptmaiion (CIO), the Healtlt Progmui. Associate Lir^tgr, end the 

Cbie.f Te.chnAibgy Officer (CTO), in the Executive Offioe of (be. President- Will servB.as 
c,d-CbaiiRersons for,the. A.iTOi#b..ie Care Act IT .Steering Commiltcev Membership will be 
conipiisfid-of SBhidr .exec.ut^^ from ^cLof die participating Depaitjuents and Agencies who 
understand the ACA and health insurance cxchaugcrrclaled IT and bitsiue^s/missiqn .needs of 
their Departments; aiid Agencies andwJio can ina.kc key policy and' mauageuieut judgments, .oh 
bclialf of dw •rcapccUve- Deparonents * 

The fpllnwing Deiikri^nents and Agencies are represented gd tbe Cominitlec unii-will 
designate a, .senior cxeciitive as. desc/ ibeti above a.': mcmlie.rs of Hie Steering; Cominitfee: 

® Depaibheiit of Health & Human SeiMces, Centers for Medicare and 
Services 

• Depaftincrit of Treasury, Intenial Revenue Service 
« p.eparimettt of Hdnielan d 'Securi ty 

e. Department afD.efensB 

• .Depaitnient of Vereians Affairs; 

ACA IT .EXclianges SRenng Coi»mtttee Gfaartct‘ Page 4 
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•® Social Security Adnimisltation- 
. » Peace Coips 

Addidcmal inenibeTS may "be added if addidQiial inieragrajcy dc^ndeiicics ai'c ideiilificd. 

.Representflti'^'CJi fro'ip other Departineiiis aad offices,- mclhdliig'^hject .mafter expej-'ts (SMBs)-: 
and plhei: advisors, may be hivited la attend SteeriJig CojiiTBiittee iilcefiugs 'wi^^ 
eoneurrence of the Steering. Coinmitiee co^-CKatre-. ' 

V. Administration 

A. : Meetings 

The Steering CpmniitteeTshalimeel; as needed anS'^- advised by tKe.ExCculivc 
Secretariat. Meetings ;may he,in-persp%by epnfei^ncecal.hpcpther ‘Yiiluar’ meeting 
tools. Materials rshali 6e distributed toYheracmbers prior to thc iriecting in order for^ 
dieniertibers to have adequate tinie to. revievvfmd. consider' tlio material. The rpembers. 
will be requested to review and provide GornTrieht/feedback on materials as-: 
appropriate. 

B. Records Management 

' The Executive Secretariat wil] 'bh responsible .for apppiutiug a designed to distribute 
Tnateriais prior to and post meetings (i.e,, agenda, meeting minutes).. 


AC A IT Exebange-s Stcgn'iig Coi-umitlec C.hahfcr 
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VIv Agreement 


Sleveii y^RoekeI,::Execu.tjvc of Sresident Date 


iCeitii Foiilcliotf Exccytivc Offtoc pf tRc Pi-esidcnt. Date. 


Todd Park, Executive Office of thei President 0at& 


Doiiiia Roy, Depaitin^t oflldjtielaird Security/ 


Date 


Robert Garcy^ Deparltijetit of Defense 


Date. 


Frank Bai;tman;DeparfJTietit of Hsaitb & Hum^ Semces Date 


MerHyri, Tavehoei^ Centw'S for Medicare & Medicaid Date 

SeiViees 


pprinc j^di-ews. Peace Corps 


Date 


ACA IT , Exchanges Steeling Coniinttteg Cliairer . ■ Pag^ 6 
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Bea Disman, Social Security Adniinistfatioii 


Date 


Teny N'lilholiandj Bepartoiciit of Treasiuy/IRS 


Date 


Alan Constaiitian, pepartment of V^cteraiis ASairs- Date 


ACA IT Exchailges. Stewing Commitlee OVartei' 
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R-TTACHHt^^T 2- 


ATTACHMENT 

1. The term "records” is to be construed in the broadest sense and shall mean any written or 
graphic material, however produced or reproduced, of any kind or description, consisting 
of the Original and any non-identical copy (wdiether different from the original because of 
notes made on or attached to such copy or otherwise) and drafts and both sides thereof 
whether printed or recorded electronically or magnetically or stored in any type of data 
bank, mcluding, but not limited to , the following: correspondence, memoranda, records, 
summaries of personal conversations or interviews, minutes or records of meetings or 
conferences, opinions or reports of consultants, projections, statistical statements, drafts, 
contracts, agreements, purchase orders, invoices, corrSimations, telegraphs, telexes, 
agendas, books, notes, pamphlets, periodicals, reports, studies, evaluations, opinions, 
logs, diaries, desk calendars, appointment books, tape recordings, video recordings, e- 
mails, voice marls, computer tapes, or other computer stored matter, magnetic tapes, 
microfilm, microfiche, punch cards, all other records kept by electronic, photographic, or 
mechanical means, charts, photographs, notebooks, drawings, plans, inter-office 
communications, intra-office and intra-departmental communications, transcripts, checks 
and canceled checks, bank statements, ledgers, books, records or statements of accounts, 
and papers and things similar to any of the foregoing, however denominated. 


2, The terms “relating,” “relate,” or “regarding” as to any given subject means anything, that 
constitutes, contains, embodies, identifies, deals with, or is in any manner.- whatsoever 
pertinent to that subject, including but not Hrpited to records concerning the preparation' 
, of other records. ..!hf oh's -r.-f 
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IJ'^MASS SMITH, Tuxps 
CHAIRMAN 


EDDIt BERNICE JOHNSOrj, Tcxsi 
RANKING MEMBER 


donsress of tilt lanittd States 

liousc orUtprESEiitatiDEs 

COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY 
2321 Rayburn House Opfice Building 
Washington, DC 20515-6301 
(202) 225-6371 

WWW science.liouse.gov March 27, 2014 

The Honorable John P. Holdren 
Director 

Office of Science and Technology Policy 
Executive Office of the President 
725 17th Street NW, Room 5228 
Washington, DC 20502 

Dear Dr. Holdren, 

Thank you for testifying before the Committee on Science, Space, and Technology yesterday. As 
discussed, there are differences in budget priorities where we will simply have to agree to disagree. 
While we have differences of opinion, there is no reason to have differences in facts. I am concerned 
that you created some confiisiou in your explanation for why Chief Technology Officer Todd Park 
refuses to testify before the Committee about his role in Healthcare.gov, 

Yesterday, you claimed that Mr. Park “doesn’t report to me... I can’t compel him to come and 
testify.” The statement that he doesn’t report to you appears to contradict your November 26 letter to 
me that stated, “Mr. Park is part of OSTP’s leadership”. On the OSTP website, Mr. Park is listed as a 
member of your leadership team and that he is in charge of a 14-staff division within your Office. 
Further, you wrote a blog post on March 9, 2012, to welcome Mr. Park to OSTP and explained his 
duties. If Mr. Park doesn’t report to you, to whom does he report? 

Likewise, you repeated the statement that Mr. Park “has not been primarily associated with the 
security of the [Flealthcarc.gov] site.” Mr, Park was the Chief Technology Officer at the Department 
of Health and Human Services from August 2009 until March 2012, where he led development of 
Healthcare.gov prototype before joining OSTP. After that, Mr. Park was a White House Co-Chairman 
of tlie Affordable Care Act Information Technology Exchanges Steering Committee that even had an 
interagency Healthcare.gov security subcommittee directly reporting to him. The only way the 
Science, Space, and Technology Committee learned about Mr. Paik’s role was through media reports, 
and never directly from your office. 

Would you correct or clarify your testimony on this important subject? Further, I hope that you 
will change your position about not allowing Mr. Park to testify. 


Sincerely, 



Lamar Smith 
Chairman 
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EXECUTIVE OFFICE OF THE PRESIDENT 
OFFICE OF SCIENCE AND TECHNOLOGY POLICY 
WASHINGTON, D.C. 20502 


November 14, 2013 


The Honorable Lamar S. Smith 
Chairman 

House Committee on Science, Space, and Technology 
2321 Rayburn HOB 
Washington, D.C. 2051.3 

Dear Chairman Smith, 

Thank you for your letter of November 13, 2013, inviting Todd Park to te.stify at a December 5, 
2013, hearing before the Committee on Science, Space, and Technology that will address the 
security standards and technical measures to protect personal information on the healthcare.gov 
website. 

As I explained previously in my November 8"' letter to the Committee, the Office of Science and 
Technology Policy (OSTP) has not been substantially involved in the privacy and security 
standards for healthcare.gov. Thus, neither Mr. Park nor any oLlier OSTP staff member is in a 
position to testify on the data security standards of the website. 

Indeed, when asked about the security features of the healtheare.gov website during a hearing 
yesterday before another committee, Mr. Park explained that he lias not been working on these 
issues and suggested that the Centers for Medicare and Medicaid Services (CMS) security team 
is better .situated to answer such questions. As 1 have offered previou,sly, however, I remain 
willing to check the availability ofOSTP Associate Director for National Security and 
International Affairs Patricia I'aleonc to testify on general cybcrsecurity issues, as she has 
worked on eybersecurity policy since her confirmation. But if the focus of the hearing will be 
the data security standard.s for heallbcare.gov, OSl'P must defer to CMS, which is better 
positioned to accurately answer any questions. 

Finally, as you know', longstanding OSTP policy ordinarily pemiits only Senate-confirmed staff 
to testify before Congress. Our current staff consists of two Senate-confirmed individuafs: 

Dr. .John Holdren, our Director, and I3r. Falcone. If you wish, 1 am available to continue 
discussions with your staff regarding Dr. Falcone or an alternative witness for the hearing. In 
this event, OSTP requests that the licaring take place the week of December 9-13 or later, given 
scheduling conflicts the first week of December. 
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I appreciate your letter and look forward to continuing to work with you and the Committee on 
science and technology issues. 


Sincerely, 

Donna M. Pignatclli 

Assistant Director for Legislative Affairs 



cc: The Honorable Eddie Bernice Johnson 

Ranking Minority Member 


2 
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Congress of the tinited States 

House of IlcprcscntatiDcs 

COMMfTTEE ON SCIENCE, SPACE, AND TECHNOLOGY 
2321 Rayburn House OmcE BuiLDo-jo 
Washington, DC 20515-6301 

( 202 ) 225^6371 November 1 8, 201 3 


Tlie Honorable John P. Holdren 

Director, Office of Science and Technology Policy 

Executive Office of the President 

725 17th Street NW, Room 5228 

Washington, DC 20502 

Dear Dr. Holdren, 


The Science, Space, and Technology Committee invited a member of OSTP leadership, 
Todd Park, to testify before the Committee on December 5"' on the role of OSTI^ in setting 
internet policies related to the healthcarc.gov website, especially those related to privacy and 
.security .standards. Mr, Park has been identified as being involved in the development of the 
website and the so-called tech surge to fix it. 


Late last Thursday, the Committee received a letter from OSTP staff that Mr. Park would 
not accept my invitation to testify on December 5th. While Mr. Park is not Senate-confirmed, he 
is identified as the only other member of OSTP leadership other than yourself on OSTP’s 
website. Please note that on October 3 H', I invited Mr. Park to testify for our hearing on 
November 19*'', Your staff indicated a willingness to investigate his availability after November 
30"' before .sending the letter to decline my invitation. 


I am sure you agree that accountability and transparency are bedrock fundamentals for a 
healtliy democracy, so I hope you will encourage Mr. Park to testily. Thank you for considering 
this request. 


I am happy to discuss this issue further at your convenience. 


Sincerely, 


{YV 


Lamar Smith 
Chairman 
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EXECUTIVE OFFICE OF THE PRESIDENT 

OFFICE OF SCIENCE AND TECHNOLOGY POLICY 
WASHINGTON, D.C. 20502 


November S, 2013 


The Honorable Lamar S. Smith 
Chairman 

House Committee on Science, Space, and Technology 
2321 Rayburn HOB 
Washington, D.C. 20515 

Dear Chairman Smith, 

Thank you for your letter of October 31, inviting Todd Park to testily before your committee on 
November 19 at a hearing titled, “Is Your Data on the Hcathcarc.gov Website Secure?” 

In conununications with your staff on October 30 and 31,1 explained that OSTP has not been 
substantially involved in the privacy and security standards that are in place for healthcare.gov. 
The Centers for Medicare and Medicaid Services (CMS) is in a far better position to discuss tire 
standards that are in place for the website. 

I offered that, while OSTP has no one to testify on the data secuiity standards ofhealthcare.gov, 
I would be willing to check the availability of OSTP Associate Direetor for National Security 
and International Affairs Patricia Falcone to testify on general cybersecurity issues. Dr. Falcone 
has worked on cybersecurity policy since her confiimalion. 

I explained to your staff that Mi'. Park is cuirently working full-time to assist CMS in the 
ongoing and critically important efforts to quickly improve the operation of the healthcare.gov 
website for the millions of Americans who are seeking quality, affordable health insiuance 
options. He camiot be pulled away from those efforts at this time. 

Finally, longistanding OSTP policy ordinarily permits only Senate-confinued staff to testify 
before Congress. Our cument .staff consisLs of two Senate-confimied individuals: Dr. John 
Holdren, our Director, and Dr. Falcone. As you know, Mr. Park is not Senate-confinued. If you 
wish, I am available to continue discussions with your staff regarding Dr. Falcone or an 
alternative witness for the November 19 hearing. 
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We appreciate your invitation and look forward to continuing to work with you and the 
Committee on science and teclmology issues. 


Sincerely, 



Donna M. Pignatelli 

Assistant Director for Legislative Affairs 


cc: The Honorable Eddie Bernice Johnson 

.Ranking Minority Member 


2 



113 


EXECUTIVE OFFICE OF THE PRESIDENT 
OFFICE OF SCIENCE AND TECHNOLOGY POLICY 
WASHINGTON, D.C. 20502 


April 3, 2014 


The Honorable Lamar S. Smith 
Chairman 

Committee on Science, Space, and Technology 
2321 Rayburn House Office Building 
Washington, DC 20515 

Dear Chairman Smith: 

Thank you for the opportunity to testify before the Committee on Science, ,Space, and 
Technology on March 26 regarding the Fiscal Yeai' 2015 budget. 

In response to yoin' letter of March 27, 1 believe that ray hearing testimony regarding Todd Park 
was clear, but 1 am pleased to repeat here the points that 1 made, and that 1 and my office have 
made previously, to ensure that there is no confusion on your part or on tire part of other 
Members. 

In previous correspondence, OSTP explained that Mr. Park is part of OSTP’s leadership. The 
Office of the United States Chief Technology Officer is located in OSTP as a matter of both 
administrative convenience and of coordination and mutual support on .substance. Inasmuch as 
Mr. Park’s office and staff are part of OSTP — and inasmuch as he is an Assistant to the President 
and therefore holds the same rank as 1 do — it is only natural that I would consider him to be part 
of the OSTP leadership team, as a partner and not a subordinate. That, of course, is fully 
consistent with my testimony at la.st week’s hearing. 

At that hearing, I made reference to OSTP’s previous statement that Mr. Park has not been 
primarily associated with the security ofhealthcare.gov. For substantiation on that point, I 
would refer you to a January 1 5, 2014, letter to you in which my office stated: “[Pjrimary 
responsibility for monitoring, managing, and overseeing the security of the FFM rests with the 
Centers for Medicare and Medicaid Services (CMS).” 1 would further refer you to paragraphs 
four and five of that letter for an explanation of the points you raise in your March 27 letter. 

OSTP has explained that it would not be productive for the Committee to hear from Mr. Park on 
the development and management of the security aspects of healthcare.gov. But we have made 
repeated efforts to accommodate the Committee’s stated interest in the security of the site, 
including offering to make available OSTP’s Senate-confirmed official most knowledgeable 
about general cybersecurity issues. We made those efforts at accommodation in no .small part 
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because we value our relationship with the Committee. The Committee has not responded to 
these offers, but we remain willing to engage with the Committee on that accommodation, and 
on science and technology issues generally'. 


Sincerely, 





.Tolin P. Holdren 

Assistant to the President for Science and Technology 
Director, Office of Science and Technology Policy 


cc: The Honorable Eddie Bernice .Tohnson 

Ranking Member 

Committee on Science, Space and Technology 
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LAMAR S.SMil-i.T6x,i 
CHAIRMAN 


EDDIE BERNiCL JO'.mSOr-;. :',ix,)s 
RANKiNG MEMBER 


Congress of the tlnited States 

House of ilEprESEntanoEs 

COMMITTEE ON SCIENCE, SPACE. AND TECHNOLOGY 
2321 Rayburn House OFFiCE Building 
Washington, DC 20515-6301 
(202} 225-6371 

November 13, 2013 


Mr. Todd Park 

Chief Technology Officer 

Office of Science and Technology Policy 

725 17“’ Street, N.W. 

Washington, DC 20502 

Dear Mr. Park: 

On October 31, 2013, 1 invited you to participate in a hearing to be held on November 19, 2013, 
before the Committee on Science, Space, and Technology (attached). Through a member of 
your staff, you declined to participate in the month of November due to constraints on your time 
with the healthcare.gov website. The Committee is inviting you to testify at a hearing on 
December 5, 2013, at 9:00am. The heainng will focus on the questions presented to you in the 
October 31, 2013, letter, 

Please confirm your attendance by responding to this letter by November 1 5, 2013. If you have 
ariy questions, please contact Mr. Raj Bharwani, Committee on Science, Space, and Technology, 
at (202) 225-6371 . I look forward to your participation in the hearing. 

Sincerely, 

Lamar Smith 
Chairman 



cc: Rep. Eddie Bernice Johnson 

Ranking Member 


Attachment 
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EDDIE i.'E I.: .. 
ri-ifMNCMD’.'i-Cr 


Congress of the ‘Hihtei! .States 

inouBC of TLEprcBtntatiBW 

COMMiTfEE Ofy SCiENCE, SPACE, AND TECHNOLOGY 
2321 Raysurn House Office Bluloing 
WASHiNGTO?^, DC 20515-^301 
(202) 225-6371 

October31, 2013 


Mr. Todd Park 

Chief Technology Officer 

Office of Science and Technology Policy 

725 17“^ Street, N.W. 

Washington, DC 20502 

Dear Mr. Park: 

On Tuesday November 19, 2013, at 10:00 a.m. in Room 231 S ofthe Rayburn House Office Building, the 
Committee on Science, Space, and Technology will hold a hearing titled, “Is Your Data on the 
Healtlicare.gov Website Secure?” I am writing to formally invite you to testify at this hearing. 

The hearing will examine concerns about die lack of privacy standards for personal information passing 
through the Heallhcare.gov website and the threat posed to Americans if hackers on the intemet gained 
access to such information. 

The data passing through the Healthcare.gov website is one of the largest collections of personal 
information ever assembled, linking infoimation from seven different federal agencies along with state 
agencies and government contractors. In order to gain information on potential healthcare coverage 
through the website, users must input personal contact information, birth dates and social security 
numbers for all family members, as well as household salary and debt information. Users may also be 
asked to verify home mortgage and credit card information, place of employment, previous addresses, and 
whether the person has any physical or mental disabilities. 

In your testimony, please be prepared to discuss what specific security standards and technical measures 
are in place to protect Americans’ privacy and personal information that passes through the 
Healthcare.gov website, and what specific steps are in place to mitigate scenarios in which the system is 
hacked, or personal information is compromised or leaked. 

You are requested to submit a written statement, which may be of any reasonable length and may contain 
supplemental materials; however, please be aware that the Committee cannot guarantee that supplemental 
material will be included in the printed hearing record. Oral statements and answers to Member questions 
will be printed as part of Uie record of the hearing; only technical, grammatical, and typographical errors 
will be corrected. In order to allow sufficient time for questions at the hearing, you should highlight the 
most significant points in your testimony in an oral presentation of no more than five minutes. 

Witnesses testifying before the Committee on Science, Space, and Technology must observe the 
procedures governing witness testimony. These procedures are described in the following enclosures and 
provide important details concerning the preparation and presentation of your testimony before the 
Committee on Science, Space, and Technology on November 19, 2013, at 10:00 a.m.: 
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Mr. Pm-k 
October 3 1 , 20 13 
Page two 

® The first enclosure outlines the rules governing appearance before the Committee. 

® The second enclosure provides you with tile Committee’.s Hearing Room Capabilities. 

® The third enclosure provides you with the Tnith-in-Testimony Instructions and the Tnith-in- 
Testimony Disclosure Form. 

Please email your testimony, biography, and truth in testimony form to Ms. Sarah Grady at 
Sarali.Gradv@mail.bouse.gov as soon as it is available, but not less than 48 hours before the bearing. 
Sixty-five copies of your testimony must also be hand debvered to the Committee’s main office. Room 
2321 Rayburn Office Building, 48 hours prior to tire hearing. Due to increased security measures in place 
at House office buildings, you will need to contact Ms. Grady to arrange for delivery of your testimony at 
(202) 225-6371. 

Ill addition, if you wish to use the Committee’s multimedia facilities during your oral testimony, a 
description of which is enclosed, please contact Mr. David Hartzler at david.hart7.ler@niail.li0iise.gov . 
Our staff can usually accommodate most requests with 72 hours’ notice. 

If you have any que.stioiis concerning any aspect of your testimony, please contact Mr. Raj Bhant'ani, 
Conunitfee on Science, Space, and Technology, at (202) 225-6371. I look forward to your participation 
in the hearing. 


Sin^rely, 


I-amar Smith 
Chainnan 


Enclosures (1) Rules Governing Appearance before tbe Committee on Science, Space, and 
Technology 

(2) Hearing Room Capabilities 

(3) Tmth-In-Testimony Instructions and Truth- In-Testimony Disclosure Form 


cc; 


Rep. Eddie Bernice Johnson 
Ranking Member 
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Enclosure 1 


MEMORANDUM 

TO: WITNESSES APPEARING BEFORE THE SUBCOMMITTEE ON OVERSIGHT OF THE 

COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY DURING THE llS* 
CONGRESS 

FROM: COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY 

RE; RULES GOVERNING APPEARANCE BEFORE THE SUBCOMMITTEE 


The following procedures govern witnesses appearing before the Committee on Science, Space, 

and Technology for the 113**' Congress: 

1. The Rules of the Committee require you to complete the attached Truth-ln-Testitnony 
Disclosure Form to disclose the amount and source (by agency and program) of any 
Federal grant (or subgrant thereof) or contract (or subcontract thereof) received during 
the current fiscal year or either of the two previous fiscal years by you or by an entity 
represented by you which are relevant to the subject matter of your testimony or the 
hearing at which you are testifying. Should you need extra space, please provide 
additional information on a separate sheet of paper. 

2. You must submit to the Committee a draft copy of your written testimony no less than 
72 hours, excluding weekends and Federal holidays, before you are to testify. 

3. No less than 48 hours, excluding weekends and Federal holidays, before you are to 
testify, you must also submit to the Committee: 

• An electronic copy of your final written testimony, preferably in searchable PDF 
format, including any supporting graphs, charts, or slideshows. This electronic 
version will be posted on the Committee website, and will be accessible by the 
public. 

•' Forty-five (45) hard copies of your final written testimony, including any 
supporting graphs, charts, or materials; 

» An electronic copy of a short narrative biography; 


Forty-five (45) hard copies of a short narrative biography; 



119 

Enclosure 1 

• Two (2) hard copies of your Curriculum Vitae; and 

• Two (2) hard copies, including one signed original, of your completed Truth-In- 
Testimony Disclosure Form. 

5. You must notify the Committee no later than 48 hours before you are to testify if you 
want to use any multimedia capabilities as provided by the hearing room, and must 
provide all material to be presented in this fashion in hard copy form to the Committee. 
Please see Enclosure 2 for further explanation of hearing room capabilities. 

If you are using any of the room's multimedia capabilities, you or your designee must 
arrive no less than 30 minutes before the designated start time of the hearing to allow 
for set-up. Failure to do so may result in the multimedia portion of the presentation 
being canceled. 

6. Transcripts of hearings conducted-by the Cornrjnittee shall be published in substantially 
verbatim form, subject only tcf^echniMl, grammatical, and typographical corrections; 


NOTE: Section 210 of the Congressional Accountability Act of 1995 applies the rights 
and protections covered under the Americans with Disabilities Act of 1990 to the 
United States Congress. Accordingly, the Committee on Science and Technology 
strives to accommodate/ meet the needs of those requiring special assistance. If you 
need special accommodation or require materials in alternative formats, please 
contact the Committee on Science and Technology in advance of the scheduled event 
(3 days requested) by telephone at (202) 225-6371, by facsimile at (202) 226-0113, or 
TTY (202) 226-4410. 
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COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY 
HEARING ROOM CAPABILITIES 


Equipment Capabilities 

A) PROJEC TOR — The hearing room is equipped with a ceiling-mounted projector capable of 
displaying computer graphics and video feed. 

B) DROP DOWN VIDEO SCREEN — ^The rear of the hearing room is equipped with a large 
drop down screen viewable fi'oni the dais and side seats. 

C) WALL-MOUNTED LCD MONITORS — Tlie hearing room is equipped with two monitors, 
one on each side of the room, for audience viewing. 

D) WITNESS MONITOR - A monitor will also be in place in front of the witness table so 
witnes.se, s can .see the screen, as well. 

Computer- Based Presentation 

Please bring yotn presentation on a memory stick (flash drive, thumb drive) or on your personal 
laptop to the hearing room at least a half-hour before the hearing so that we may help you set it 
up at the witness table. If you bring your presentation on a laptop, your laptop should be 
equipped with a frmctioning graphics port with either a VGA or MAC external connector. 
Because there are many makes and models of laptops, please be prepared to operate the external 
graphics port for your own laptop. 

Audiovisual/Multimcdia Capabilities 

A) The room supports the following transmission methods to broadcast conunittee activities to 
remote sites: 

1. Telephone Conferencing (Audio Only). 

2. Live Audio-Video Streaming (Webcasting). 

3. Video Teleconferencing. 

4. Video and Audio overflow hnnsmission to room 2325. 

B) The room receives House Cable TV feeds for display. 

C) The hearing room equipment can playback and display compact discs, dvd discs, and 
overhead slides. 

Equipment Support 

Questions should be directed to David Hartzler at david.hartzler@mail.house.gov . 
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Instructions for Completing the Truth-in-Testimont' Disclosure Form 

In General. 'Ihe accompanying form is intended to assist witnesses appearing before the 

Committee on Science, Space, and Technology Subcommittee on Oversight m complying with 

Rule XI, clause 2(g)(5) of the Rules of the House of Representatives. The rule requires that: 

In the case of a witness appearing in a nongovernmental capacity, a written statement 
of proposed testimony shall include a curriculum vitae and a disclosure of the amount 
and source (by agency and program) of any Federal grant (or subgj-ant thereof) or 
contract (or subcontract thereof) received during ihe current fiscal year or either of the 
t\^>o previous fiscal years the witness or fy an entity represented by the witness. 

Such statements, with appropriate redactions to protect the privacy of the witness shall 
be made publicly available in electronic fonn not later than one day after the witness 
appears. 

Please complete the form m accordance with these directions. 

1 . Name (Item I on the form). Please provide the name of the witness in the box at the top of 
the form. 

2. Governmental Entity (Item 2). Please check the box indicating wiiether or not the tvitness 
is testifying on behalf of a government entity, such as a Federal department or agency, or a 
State or local department, agency, or jurisdiction. Trade or professional associations of 
pubhc officials are not considered to be governmental organizations. 

3 . Nongovernmental Entity (Item 3). Please check the box indicating whether or not tlie 
witness is testifying on behalf of an entity tliat is not a governmental entity. 

4. Entity(ies) to be Represented (Item 4). Please list all entities on whose behalf tire witness 
is testifying. 

5. Grants and Contracts (Item 5). Please list any Federal grants or contracts (including 
subgrants or subcontracts) that die witness personally or the entity tire witness is 
representing has received from the Federal Government on or after October 1 , 2010. 

6. Representational Capacity (Item 6). If the answer to die question in item 2 is yes, please 
characterize the capacity in which tlie witness is testifying on behalf of the entities listed in 
item 4. 

7. Affiliated Entities (Item 7). Please indicate whether die entity on whose behalf the ivitness 
is testifying has parent organizations, subsidiaries, or partnerships that ate not represented 
by the testimony of the witness. 

8. Grants and Contracts (Item H). Please disclose grants and contracts as directed. 

9. Submission. Please sign and date the form in the appropriate place. Please submit this 
form with your written testimony. Please note that under the Committee’s rules, copies of a 
written statement of your proposed testimony must he submitted before the commencement 
of the hearing. To the greatest extent practicable, please also provide a copy in electronic 
format, preferably in searchable pdf format. Written testimony and the Ttuth-ln-Testimony 
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Enclosure 3 


disclosure form will be made publicly available and posted on tlie Committee’s website. 
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Enclosure 3 


Committee on Science, Space, and Technology 
U.S. House of Representatives 

Witness Disclosure Reamixment- "Truth in Testimony" 
Required by Uonse Rule XI, Clause 2(g)(5) 


1. Your Name: 


2. Are you testifying on behalf of the Federal, or a State or local 
government entity? 


Yes 


No 


3. Are you testifying on behaif of an entity that is not a government 
entity? 


Yes 


No 


4, Other than yourself, please list which entity or entities you are representing: 


5. Please list any Federal grants or contracts (including suhgrants or subcontracts) that 
YOU or the entity you renresent have received on or after October 1, 2010: 


6. If your answer to the question in item 3 in this form is “yes,” please describe your 
position or representational capacity with the entity(ies) you are representing: 


7. If your answer to the question in item 3 is “yes,” do any of the 
entities disclosed in item 4 have parent organizations, subsidiaries, 
or partnerships that you are not representing in your testimony? 


Yes 


No 


If the answer to the question in item 3 is “yes,” please list any Federal grants or 
contracts (including subgrants or subcontracts) that were received by the entities listed 
under the question in item 4 on or after October 1, 2010, that exceed 10 percent of the 
revenue of the entities in the year received, including the source and amount of each 
grant or conh-act to be listed; 


I certify that the above information is true and correct. 
Signature: 


Date: 
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EXECUTIVE OFFICE OF THE PRESIDENT 
OFFICE OF SCIENCE AND TECHNOLOGY POLICY 
WASHINGTON, D C. 20502 


November 26, 20 1 3 


The Honorable Lamar S. Smith 
Chairman 

House Committee on Science, Space, and Technology 
2321 Rayburn HOB 
Washington, D.C. 205 1 5 

Dear Chaiiman Smith: 

Thank you for your phone call on Wednesday, which followed up on your letter of November 
1 8, 201 3 . It was a pleasure speaking with you. 

In our conversation and in your letter, you mentioned the Committee on Science, Space, and 
Technology’s December 5'" hearing regarding the security standards and technical measures to 
protect personal information on the healthcare.gov website. You asked that I encourage Todd 
Park to testily before the Committee on this topic. 

As 1 understand ray staff explained in response to your earlier invitation, neither Mr. Park nor 
any other Office of Science and Technology Policy (OSTP) staff member is in a position to 
testify on the data-secuiity standards of the healthcare.gov website, as OSTP has not been 
substantially involved in developing those standards. Mr. Park previously testified that he has 
not focused on those issues and suggested that the Centers for Medicare and Medicaid Services 
(CMS) security team is in a better position to answer such questions. 

Further, as you know, longstanding OSTP policy ordinarily permits only Senate-confirmed staff 
to testily before Congress. While Mr. Park is part of OSTP’s leadership, he is not Senate- 
conftimed. Our current staff consists of two Senate-confirmed individuals: OSl'P Associate 
Director for National Security and International Affairs Patricia Falcone and me. In our 
conversation, I offered that Dr. Falcone would be willing to testify on general cybersecuritj' 
policy issues, although she would not be able to comment specifically on the data-security 
.standards for healthcare.gov. Should you decide to invite Dr. Falcone to te.stify, I request that the 
hearing take place after December the 9*'' because of scheduling conflicts during the first week of 
December. 
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Thank you again for taking the time to talk with me on Wednesday. I value our relationship and 
hope we will continue to have open discussions on issues before the Committee. As you know, I 
have testified before the Committee three times this year, and 1 remain committed to working 
with you on science and teclmology issues. 

Sincerely, 

f' 

/ /john P. Holdren 
^Director 

cc: The Honorable Eddie Bernice Johnson 

Ranking Minority Member 


2 
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THE WHITE HOUSE 

WASHINGTON 


November 17, 2014 


The Honorable Lamar Smith 
Chairman 

Committee on Science, Space, and Technology 
U.S. House of Representatives 
Washington, DC 20515 

The Honorable Paul Broun 
Chairman 

Subcommittee on Oversight of the 
Committee on Science, Space, and Technology 
U.S. House of Representatives 
Washington, DC 20515 

Dear Chairman Smith and Chairman Broun: 

T am following up on my letter of November 14, 2014, to address the substantial progress 
that has been made among our staffs in addressing the Committee on Science, Space, and 
Teclmology’s interest in information concerning the hcalthcare.gov website and former United 
States Chief Technology Officer Todd Park. In just two months after the Committee asked to 
receive additional documents, the Office of Science and Technology Policy (OSTP) has 
produced over 8,000 pages of documents to the Committee. That is in addition to the more than 
1 ,000 pages the Committee received eaidier this year fi'om OSTP, and the 1 ,324 pages of 
documents delivered to the Committee from among the materials produced to Congress by the 
Department of Health and Human Services. In addition to the 1 0,000-plus pages of documents 
the Committee has received, Mr. Park made himself available for a meeting with botli of you in 
June to answer any questions. Mr. Park will also testify at a hearing before the Oversight 
Subcommittee this week, a hearing that he had agreed to attend voluntarily by letter dated 
September 16, 2014. 

With respect to the Committee’s document requests, the progress our staffs have made is 
encouraging. As you are aware, there exists an important and longstanding tradition by which 
Congress and the Executive, two co-equal branches of government, seek to accommodate the 
legitimate needs of one another. That tradition finds its roots in the Constitution itself, an 
“implicit constitutional mandate to seek optimal accommodation through a realistic evaluation of 
the needs of the conflicting branches in the particular fact situation.” United States v. American 
Tel. cfe Tel. Co., 567 F.2d 121, 127 (D.C., Cir. 1977). 

In prior correspondence, we have explained that certain of the Committee’s requests for 
information have run up against long-recognized Executive Branch confidentiality interests. As 
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Administrations of both political parties have long explained, if the Executive Branch is to 
function as the Constitution intends, it is imperative that While House advisers feel at liberty to 
have free and open deliberations and discussions, and that liberty frequently depends upon the 
expectation of confidentiality. 

The Committee has consistently articulated an interest underlying its information 
requests, namely, the effort “to examine the safety, security and privacy of Americans’ personal 
data tlirough the Obamacare website,”’ More recently, the Committee has elaborated on that 
interest in security, stating that the Committee’s “jurisdiction over the Federal Infonnation 
Security Management Act and the National Institute of Standard and Technology conveys to our 
Committee oversight over the security and implementation of Healthcare. gov,”^ 

The Executive Branch has made substantial efforts to accommodate the Committee’s 
articulated oversight interest consistent with its own constitutional and statutoty responsibilities. 
As explained in prior correspondence, OSTP has produced documents based on the priorities 
articulated by Subcommittee staff. Specifically, OSTP expedited the production of documents 
from the time period that your staff indicated is of greatest interest to the Committee — April 1, 
2013, to October 1, 2013. A very small proportion of the documents produced to the Committee 
on October 10 and October 31, 2014, contained limited redactions in service of Executive 
Branch’s confidentiality interests. For the 30 redacted documents your staff identified as of 
interest, we have been able to make appropriate accommodations to provide your staff with 
access to additional information, including, in many cases, m camera review of ftilly unredacted 
materials; indeed, for those documents, there has not been one on which we have refused to 
make an additional accommodation. We have also agreed to the extraordinary step of allowing 
your staff to have temporary possession of certain of these documents solely for your non-public 
use in preparing members of the House Science Oversight Subcommittee who may participate in 
this week’s hearing. 

As explained in prior correspondence, we also identified a small subset of materials that 
implicate longstanding Executive Branch interests that initially were not produced in prior 
document productions. Flerc too we have made significant and in some cases extraordinary 
accommodations to address your articulated information needs. In consultation with your staff, 
we identified via an electronic term search 1 7 documents that arguably touch on the security of 
the website. We have already offered accommodations on nearly all of these materials, agreeing 
to produce some to the Committee with limited redactions and allowing your staff to inspect 
others in camera. Fuithcrmore, when your staff expressed a new desire for information 
concerning testing and the flinctiouality of the website, we agreed to consider potential 


^ Letter from the Hon. Lamar Smith, Paul Broun, M.D., and Larry Bueshon, M.D., to the Hon. John P. Holdren, 
Director, Office of Science and Technology Policy (December 20, 2013) [hereinafter “December 20 Letter’’}, at 3. 
Put in even greater detail, when Chairman Smith initially wrote to Mr, Park to expiess interest in healthcarc.gov, the 
letter asked Mr. Park to addrcs.s “what .specific security standards and technical measures are in place to protect 
Americans’ privacy and personal information that passes through the Healthcare.gov website, and what specific 
steps are in place to mitigate scenarios in which the system is hacked, or personal information is compromised or 
leaked,” Letter from the Hon. Lamar Smith, Chairman, Committee on Science, Space, and Technology, to J'odd 
Park, As.sistant to the President and United States CTO (October3l, 20!3), at 1. 

^ Email from H. Comm, on Science, Space, & Teclinoiogy Majority Staff to White House Counsel’s Office staff 
(Nov, 12, 2014,7:35 p.m.) 


2 
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accommodations we might offer to provide additional information witli the goal of reaching a 
mutually agreeable resolution of the Committee’s outstanding document requests. I expect we 
will be able to have further productive discussions on these documents, 

Thus, notwithstanding the extremely broad subpoena issued by the Committee, we have 
substantially narrowed the gap between our respective interests in the documents. The efforts we 
lave made to do so reflect our deep commitment to cooperating with Congressional requests for 
nformatioii to the fullest extent consistent with the constitutional and statutory responsibilities of 
he Executive Branch. We look forward to continued progress in our discus.sions. 



;c: The Honorable Eddie Bernice Johnson 

Ranking Minority Member 
Committee on Science, Space, and Technology 

The Honorable Dan Maffei 
Ranking Minority Member 
Subcommittee on Over.sight 
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THE WHITE HOUSE 

WASHINGTON 


November 14, 2014 


The Honorable Lamar Smith 
Chairman 

Committee on Science, Space, and Technology 
U-S. House of Representatives 
Washington, DC 20515 

The Honorable Paul Broun 
Chairman 

Subcommittee on Oversight of the 
Committee on Science, Space, and Teclinology 
U.S. House of Representatives 
Washington, DC 205 1 5 

Dear Chairman Smith and Chairman Broun: 

I write in further response to the Committee on Science, Space, and Technology’s interest 
in information concerning the healthcare.gov website and former United States Chief 
Tecltnology Officer Todd Park. Enclosed with this letter are an additional 573 pages of 
documents that are responsive to the document subpoenas issued by the Subcommittee. One 
attachment that would otherwise have been included in the production did not render effectively. 
That document will be separately made available to the Committee for review. 

This production further demonstrates OSTP’s commitment foster a productive working 
relationship with the Committee and to satisfy- the Committee’s request for information, 
consistent with the interests of the Executive Branch. In addition, 1 am aware that our staffs have 
been meeting to discuss certain documents identified during the review of records thus far that 
implicate long-recognized Executive Branch confidentiality interests and have been pleased to 
learn that they have made steady progress towards identifying appropriate accommodations with 
respect to those documents. I trust that those meetings will continue in the same collaborative 
spirit moving forward. 


Sincerely, 



Jennifer O’Connor 

Deputy Counsel to the President 



Enclosure (dociinients Bates numbered OSTP ACA 8588-OSTP ACA 9160) 


cc; The Honorable Eddie Bernice Johnson 
Ranking Minority Member 
Committee on Science, Space, and Technology 

The Honorable Dan Maffei 
Ranking Minority Member 
Subcommittee on Oversight 



131 


LAMAR S. SMITH. Texas 
CHAIRMAN 


EDDIE BERNICE JOHNSON. Texas 
RANKING MEMBER 


Congress of the "Enited States 

fiausE of lltprcsEntatints 

COMMITTEE ON SCIENCE, SPACE. AND TECHNOLOGY 
2321 Rayburn House Office Building 
Washington. DC 20515-6301 
{202} 225-6371 

Mww. scie nee. h Ouse , gov 

November 18, 2014 


Honorable John P. Holdren, Director 

Mr. Todd Park, U.S. Chief Technology Officer 

Office of Science and Technology Policy 

Executive Office of the President 

725 17th Street NW 

Washington, DC 20502 

Dear Dr. Holdren and Mr. Park, 

For over a year, the Committee on Science, Space, and Technology (Committee) has patiently and 
persistently sought information from the Office of Science and Technology Policy (OSTP) regarding 
its role in Helathcare.gov. As stated in our October 31, 2013, letter to Mr. Park, our interests, began 
with the “lack of privacy standards for personal information passing through the Healthcare, gov 
website and the threat posed to Americans if hackers on the Internet gained access to such 
information.” 

The Committee sought further information about the role of Mr. Park and OSTP in this regard in a 
letter in December 2013 and received some limited information in January 2014. In July of 2014, the 
Committee received additional documents from the House Committee on Oversight and Government 
Reform (OGR) that they had obtained through their own inquiries. These documents suggested a much 
more extensive role by Mr, Park and OSTP personnel in the Healthcare.gov website than was 
previously conveyed to the Committee, Consequently, the originally stated interest was expanded 
after the Committee received these documents that demonstrated Mr, Park’s actual role was decidedly 
different than what he testified to before OGR on November 13,2013. 

Over the course of the past year, the Committee repeatedly asked for Mr. Park to testify before the 
Committee, Unfortunately, tliese requests were re-buffed. Instead, OSTP offered for Mr. Park to brief 
the Committee on his role and responsibilities. This briefing would not be open to the public, but an 
opportunity for the Committee members to hear directly from Mr. Park. We had set a mutually agreed 
upon time for the briefing on September lO"', but OSTP reneged on its offer the night before after it 
learned that the briefing would be transcribed. 

After multiple unsuccessful attempts to secure Mr. Park’s testimony, tire Committee was left no 
other choice but to subpoena both Mr. Park and all documents and communication that establish his 
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Dr. Hoidren & Mr. Park 
November 18,2014 
Page 2 

actual involvement with Healthcare.gov. That subpoena demanded the production of any and all 
documents including communications that: 

“...are related to the HealthCare.gov website, including but not limited to documents related to its 
hardware, software, design, testing, user capacity, operation, privacy protections, security, and 
problems, and also including but not limited to related contracts, reports, data submissions (including 
by contractors and insurers), and the federal data hub.” 

I. Jurisdiction & Legislative Purpose. 

Under House Rule X (I)(p), this Committee and its corresponding Subcommittee have jurisdiction 
over the OSTP and the National Institute for Standards and Technology (NIST). This Committee 
authorized the creation of the OSTP in 1976. This Committee has the authority to oversee the 
agencies responsible for setting cyber privacy and security policies and standards for the rest of the 
federal government including OSTP and NIST. In addition, under House Rule XI, the Committee is 
permitted to “conduct at any time such investigations and studies as it considers necessary or 
appropriate in the exercise of its responsibilities.” 

As for the Committee’s legislative purpose, OSTP, through the Office of the White House Counsel 
(OWHC), has requested that we explain what our legitimate interests are for seeing the subpoenaed 
documents in an un-redacted format. The Committee’s jurisdiction over the Federal Information 
Security Management Act and the National Institute of Standards and Technology conveys to this 
Committee oversight over the security and implementation of I JealthCare.gov. 

The U.S. Supreme Court has unequivocally established that Congress’ power to conduct 
investigations and oversight is so essential to the legislative function that it may be implied from the 
general vesting of all legislative powers in Congress. In McGrain v. Daugherty, the Supreme Court 
described the power of inquiry, with the accompanying process to enforce it, as “an essential and 
appropriate auxiliary of to the legislative function.” (McGrain, 273 U.S. at 174-5.) The Court also 
noted that “[a] legislative body cannot legislate wisely or effectively in the absence of information 
respecting the conditions which the legislation is intended to affect or change.” (Id.) 

In Ea.^t}and v. United Stales Serviceman ’s Fund, the Court .stipulated that the “scope of 
[Congress’s] power of inquiry ... is as penetrating and far-reaching as the potential power to enact and 
appropriate under the Constitution.” (Eastland, 421 U.S. at 504 n.l5 (quoting Barenblatt, 360 U.S. at 
111). The Court has also described Congres.sional power as “broad,” “indispensable,” and 
“encompassing inquiries concerning the administration of existing laws as well as proposed or 
possible needed statutes.” (Watkim, 354 U.S. at 1 87.) 

Absent an express statutory restriction, federal courts have held that executive agencies may not 
refuse to provide information to Congress, even if such information is confidential, proprietary, or 
otherwise barred from being disclosed to the public. (F.T.C. v. Owens-Corning Fiberglass Corp., 626 
F.2d 966, 970 (D.C. Cir. 1980); Exxon Corp., 589 F,2d at 585-6; .Ashland Oil, 548 F.2d at 979). 
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Dn Hoidren & Mr. Park 
November ]8, 2014 
Page 3 

Based on the issues surrounding its rollout. Congress has a responsibility to review the standards 
that were used to ensure its security and functionality to the American people. However, to properly 
conduct our legislative and oversight responsibilities,, we have to depend on the veracity of those that 
have provided Congress with information. Any misinformation given to Congress impedes our 
constitutional ability to formulate a response. Based on emails and other documents received by the 
Committee, we have reason to believe that OSTP’s correspondence to the Committee and Mr. Park’s 
testimony before OGR has not been forthcoming about Mr. Park’s involvement in Healthcare.gov and 
such misinformation impedes this Committees abiUty to conduct oversight and respond to the 
problems associated with the website. 

n. OSTP’s Failure to Comply 

Since the duly issued and served subpoena on September 19, 2014, the Committee has received 
thousands of documents. However, responsiveness is not measured by the number of pages produced, 
but by completely fulfilling the requests from Congress. Sending multiple copies of long documents, 
many with questionable redactions, is not cooperating with the process but is a tactic used to confuse 
and delay the Committee’s oversight. OSTP’s response to this legitimate exercise of Congressional 
oversight authority has been disappointing. Instead of prompt compliance, there has been a pattern of 
dilatory tactics from the onset of this oversight inquiry. 

The subpoena itself is broad in the sense of the types of documents sought, but quite narrow in that 
they all focus on Todd Park’s role with Heatlhcare.gov. Considering OSTP failed to provide all of the 
documents the Committee requested last December, it is the Committee’s hope that the detailed list of 
documents sought will in full faith complete the inquiry in its entirety. Unfortunately, the breadth of 
the subpoena was in no small part a direct response to the lack of cooperation from OSTP and 
Congress’ inability to get straight forward answers to legitimate oversight inquiries. Since the 
issuance of the subpoena almost two months ago, the Committee has gone to great lengths to 
accommodate OSTP by further prioritizing not only the subject matter, format, and date range of the 
subpoena, but also agreeing to an in camera review on more than one occasion with the OWHC in 
order to help receive documents in a somewhat timely fashion. It has therefore been disheartening to 
sec the OWHC use this accommodation to exclude documents the Committee had clearly indicated it 
was interested in and again failed to produce the documents to the Committee in an un-redacted 
format, 

While some progress has been made, despite nearly two months of effort, there are still specifically 
identified responsive emails tliat have yet to be provided even in a redacted format. Of those redacted 
documents that liave been turned over, on numerous occasions my staff requested that tliey be 
produced in an un-redacted format or as an additional accommodation requested a detailed list of the 
documents identiiying why they are redacted and providing not only a description of the redacted 
portion but also a legitimate legal basis for its redaction. Unfortunately, the OWfIC has not been able 
to accommodate these requests thus far. 

HI. The claim of “Executive Branch confidentiality interest” is Without Merit 
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Paged 

To date, OSTP and OWHC have asserted only a generalized claim of a “long-standing Executive 
Branch confidentiality interest” as the rationale for refusing to provide some of the requested material. 
Congress also has a “long-standing legislative interest in oversight” and is entitled to review duly 
subpoenaed documents. As we have expressed multiple times, “Executive Branch confidentiality 
interests” are not a legal basis for withholding subpoenaed information from Congress. OSTP and 
OWHC have failed to provide a detailed privilege log identifying the documents being withheld in full 
or in part, and the legal basis that would justify applicability of a privilege to the withheld information. 
A general assertion of “Executive Branch confidentiality interests,” in the face of a duly authorized 
Congressional subpoena, is neither a constitutionally protected privilege nor even a recognized 
common law privilege. The general interests discussed have historically been in response to a 
Congre,ssional request for information. However, at least since its drafting in 1989 by Assistant 
Attorney General William Barr, the Executive Branch distinguishes the generalized claim of 
“Executive Branch confidentiality interests” in response to a Congressional request much differently 
than in response to a duly autlrorized Congressional subpoena 

“While the considerations that support the concept and assertion of executive privilege 
apply to any congressional request for infonnation, the privilege itself need not be claimed 
formally vis-s-vi.s Congress except in response to a lawful subpoena...” Memorandum for 
Congressional Requests for Confidential Executive Branch Information, June 19, 1989) 
(Emphasis added) 

If it is OSTP’s position that “Executive Branch confidentiality interests” outweigh Congressional 
oversight and legislative interests, then we request that you inform the Cotitmittee whether executive 
privilege is being asserted by the President and whether the basis of that assertion is some form of 
“deliberative process” or “presidential communication.” If executive privilege is in faet asserted, then 
the Committee is entitled to a written summary of the redacted portions so that we can determine our 
next course of action. 

IV. Compliance with Duty Authorized Subpoena 

Given that the Committee began this oversight well over a year ago and the subpoena was issued 
nearly two months ago, the time for accommodation and dilatory tactics must come to an end. The 
Committee demands, through the authority of the aforementioned duly authorized Congressional 
subpoena, that any and all responsive documents, and in particular those that have been specifically 
identified by Committee staff, be turned over to this Committee immediately in an uu-redacted format. 


Cc: Rep. Eddie Bernice Johnson 
Ranking Member 


Sii^erely, 


A- 




Lamar Smith 
Chairman 
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EXECUTIVE OFFICE OF THE PRESIDENT 
OFFICE OF SCIENCE AND TECHNOLOGY POLICY 
WASHINGTON, D C. 20502 

July 3, 2014 


The Honorable Paul Broun 
Chairman, Subcommittee on Oversight 
Committee on Science, Space, and Technology 
2321 Rayburn House Office Building 
Washington, DC 20515 

Dear Chairman Broun, 

Thank you for meeting with Congressmen Smith, Wolf, and Fattah, U.S. Chief 
Technology Officer (CTO) Todd Park, and me on June 24, 2014. We appreciated the 
opportunity to meet with you. 

At that meeting, you and Chairman Smith reiterated that the Subcommittee’s oversight 
interest continues to be the security and privacy of the Healthcare.gov website. When Mr. Park 
offered to answer questions and clarify his role, you responded that you were not there to get 
answers, and you indicated that you felt all of the Subcommittee members should have a chance 
to ask questions. We accordingly write to follow up on our meeting and to continue the efforts 
we have made to try and accommodate the Subcommittee’s stated oversight interests. 

The Office of Science and Technology Policy’s (OSTP) prior correspondence with 
Chairman Smith makes clear that Mr. Park and OSTP personnel have not been substantially 
involved in developing or implementing the Federally Facilitated Marketplace’s (FFM) security 
measures. In attempting to arrive at an appropriate accommodation, this is worth emphasizing. 
Mr. Park is not a cybersecurity expert; he did not develop or approve the security measures in 
place to protect the website, and he does not manage those responsible for keeping the site safe. 
The Centers for Medicare and Medicaid Services are directly responsible for those tasks and 
have the relevant first-hand knowledge. 

Nevertheless, OSTP has tried to provide information to meet your stated interest and that 
of the Committee, including by offering Dr. Patricia Falcone, a Senate-confirmed Associate 
Director, to testify regarding cybersecurity issues generally. As a further significant attempt to 
accommodate your stated interests, OSTP is willing to arrange for Mr. Park to meet with the 
Oversight Subcommittee members at a mutually convenient time. Mr. Park would brief 
members about his role as CTO and members would have an opportunity to ask Mr. Park 
questions about the extent of his familiarity with the security and privacy aspects of the 
Healthcare.gov website. Associate Director Falcone would also be willing to attend such a 
meeting with Mr. Park. Dr. Falcone does not have specific knowledge of the data-security 
standards in place for hea1thcare.gov, but she is knowledgeable about general cybersecurity 
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policy issues, including a cybersecurity report that your stafT identified as relevant to its inquiry 
when first seeking an OSTP witness to testify before the Committee. 

Finally, you asked for a list of the CTO Office’s staff and the salaries OSTP pays. The 
CTO Office’s staff is listed on OSTP’s webpage; 

http://www.whitehouse.gov/administration/eop/ostp/about/leadershit)staff . OSTP pays four of 
these .staff members and, in the aggregate, the salary expenses total $456,418. OSTP looks 
forward to continuing to work with you on science and technology issues. 


Sincerely, 





John P. Holdren 

Assistant to the President for Science and Technology 
Director, Office of Science and Technology Policy 


cc; The Honorable Lamar Smith 
Chairman 

Committee on Science, Space and Technology 

The Honorable Frank Wolf 
Chairman 

Subcommittee on Commerce, Justice, and Science 

The Honorable Chaka Fattah 
Ranking Member 

Subcommittee on Commerce, Justice, and Science 

The Honorable Eddie Bernice Johnson 
Ranking Member 

Committee on Science, Space and Technology 

The Honorable Dan Maffei 

Ranking Member, Subcommittee on Oversight 

Committee on Science, Space, and Technology 


Email from H. Comm, on Science, Space, & Technology Majority Staff to OSTP staff (Oct. 28, 2013, 5;42 p.m.) 
(‘T suspect we would touch on related issues raised and addressed in the ‘Cyberspace Policy Review’ and the Dec. 
2011 report ‘Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development 
Program,’ both of which were referred to in Dr. Holdren’s testimony before the Committee in a full committee 
oversight hearing on June 20, 2012.”) 


2 
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tAWAR S, S.MiTH. T-,«ss 
GHAiRMAN 


Congress of the liimtd States 

ilDiiBE of Heprfscntariofs 

COMMITTEE ON SCIENCE, SPACE. AND TECHNOLOGY 
2321 Raysurn Hoi;se Office BuiLOiNG 
WASHif'JG-TON. DC 20515-6301 
<202) 225-6371 

,«™5ci«.c.ho«..o« October 31, 2013 


Mr. Todd Park 

Oiief Technology Officer 

Office of Science and Technologj' Policy 

725 I?"" St^ee^ N.W. 

Washington, DC 20502 

Dear Mr. Park: 

On Tuesday November 19, 2013, at 10:00 a.m. in Room 2318 of the Rayburn House Office Building, the 
Committee on Science, Space, and Technolo^ will hold a hearing titled, “Is Your Data on the 
Healthcare.gov Website Secure?” I am writing to formally invite you to testily at this hearing. 

The hearing will examine concerns about tlie lack of privacy standards for personal information passing 
through the Healthcare.gov website and the threat posed to Americans If hackers on the Internet gained 
access to such information. 

The data passing through the Healthcare.gov website is one of the largest collections of personal 
information ever assembled, linking information from seven different federal agencies along with state 
agencies and government contractors. In order to gain infonnation on potential healthcare coverage 
through the website, users must input personal contact information, birth dates and social security 
numbers for all family members, as well as household salary and debt information. Users may also be 
asked to verify home mortgage and credit card information, place of employment, previous addresses, and 
whether the person has any physical or mental disabilities. 

In your testimony, please be prepared to discuss what specific security standards and technical measures 
are in place to protect Americans’ privacy and personal information that passes through the 
Heaithcare.gov websile, and what specific steps are in place to mitigate scenarios in which tlic system is 
hacked, or personal information Is compromised or leaked. 

You are requested to submit a wi'itten statement, which may be of any reasonable length and may contain 
supplemental materials; however, please be aware that the Committee cannot guarantee that supplemental 
material will be included in the printed hearing record. Oral statements and answers to Member questions 
will be printed as part of the record of the hearing; only technical, grammatical, and typographical errors 
will be corrected. In order to allow sufficient time for questions at the hearing, you should highlight the 
most significant points in your testimony in an oral presentation of no more than five minutes. 

Witnesses testifying before the Committee on Science, Space, and Technology must observe the 
procedures governing witness testimony. These procedures are described in the following enclosures and 
provide important details concerning the preparation and presentation of your testimony before the 
Committee on Science, Space, and Technolog>' on November 19, 2013, at 10:00 a.m.: 



Mr. Park 
OctoberSl, 2013 
Page two 
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• The first enclosure outlines the rules governing appearance before the Committee. 

• The second enclosure provides you with the Committee’s Hearing Room Capabilities. 

• The third enclosure provides you with the Trath-in-Testiraony Instructions and the Triith-in- 
Testimony Disclosure Form. 

Please email your testimony, biography, and truth in testimony form to Ms. Sarah Grady at 
Sarah.Gradv@,mai 1 .house.gov as soon as it is available, but not less than 48 hours before the hearing. 
Sixty-five copies of your testimony must also be hand delivered to the Committee’s main office. Room 
2321 Rayburn Office Building, 48 hours prior to the hearing. Due to increased security measures in place 
at House office buildings, you will need to contact Ms. Grady to arrange for delivery of your testimony at 
(202) 225-6371. 

In addition, if you wish to use the Committee’s multimedia facilities during your oral testimony, a 
description of which is enclosed, please contact Mr. David Hartzler at dav[d.hartzler@mail.house.g.ov . 
Our staff can usually accommodate most requests with 72 hours’ notice. 

If you have any questions concerning any aspect of your testimony, please contact Mr. Raj Bhanvani, 
Committee on Science, Space, and Technology, at (202) 225-6.371 . I look forward to your participation 
in the hearing. 


Sincerely, 


Lamar Smith 
Chairman 


Enclosures (1) Rules Governing Appearance before the Committee on Science, Space, and 
Technology 

(2) Hearing Room Capabilities 

(3) Truth-In-Testimony Instructions and Truth-ln-Testimony Disclosure Form 


cc: 


Rep. Eddie Bernice Johnson 
Ranking Member 
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Enclosure 1 


MEMORANDUIVI 

TO: WITNESSES APPEARING BEFORE THE SUBCOMIVlITTEE ON OVERSIGHT OF THE 

COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY DURING THE 113*'’ 
CONGRESS 

FROM; COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY 

RE: RULES GOVERNING APPEARANCE BEFORE THE SUBCOMMITTEE 


The following procedures govern witnesses appearing before the Committee on Science, Space, 

and Technology for the 113**' Congress; 

1. The Rules of the Committee require you to complete the attached Truth-ln-Testimony 
Disclosure Form to disclose the amount and source (by agency and program) of any 
Federal grant (or subgrant thereof) or contract (or subcontract thereof) received during 
the current fiscal year or either of the two previous fiscal years by you or by an entity 
represented by you which are relevant to the subject matter of your testimony or the 
hearing at which you are testifying. Should you need extra space, please provide 
additional information on a separate sheet of paper. 

2. You must submit to the Committee a draft copy of your written testimony no less than 
72 hours, excluding weekends and Federal holidays, before you are to testify. 

3. No less than 48 hours, excluding weekends and Federal holidays, before you are to 
testify, you must also submit to the Committee: 

• An electronic copy of your final written testimony, preferably in searchable PDF 
format, including any supporting graphs, charts, or slideshows. This electronic 
version will be posted on the Committee website, and will be accessible by the 
public. 

•' Forty-five (45) hard copies of your final written testimony. Including any 
supporting graphs, charts, or materials; 

• An electronic copy of a short narrative biography; 


Forty-five (45) hard copies of a short narrative biography; 
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Endosure 1 


• Two (Z) hard copies of your Curriculum Vitae; and 

• Two{Z) hard copies, including one signed original, of your completed Truth-in- 
Testimony Disclosure Form. 


5. You must notify the Committee no later than 48 hours before you are to testify if you 
want to use any multimedia capabilities as provided by tbe hearing room, and must 
provide all material to be presented in this fashion in hard copy form to the Committee. 
Please see Enclosure 2 for further explanation of hearing room capabilities. 

If you are using any of the room's multimedia capabilities, you or your designee must 
arrive no less than 30 minutes before the designated start time of the hearing to allow 
for set-up. Failure to do so may result in the multimedia portion of the presentation 
being canceled. 

6. Transcripts of hearings conducted by the Committee shall be published in substantially 
verbatim form, subject only to technical, grammatical, and typographical corrections. 


NOTE; Section 210 of the Congressional Accountability Act of 1995 applies the rights 
and protections covered under the Americans with Disabilities Act of 1990 to the 
United States Congress. Accordingly, the Committee on Science and Technology 
strives to accommodate / meet the needs of those requiring special assistance, if you 
need special accommodation or require materials in alternative formats, please 
contact the Committee on Science and Technology in advance of the scheduled event 
(3 days requested) by telephone at (202) 225-6371, by facsimile at (202) 226-0113, or 
TTY (202) 226-4410. 
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Enclosure 2 


COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY 
HEARING ROOM CAPABILITIES 


Equipment Capabilities 

A) PROJECTOR — ^I'he hearing room is equipped with a ceiling-moiinted projector capable of 
displaying computer graphics and video feed. 

B) DROP DOWN VIDEO SCREEN — ^The rear of the hearing room is equipped with a large 
drop down screen viewable from the dais and side seats. 

C) WALL-MOUNTED LCD MONITORS — The hearing room i.s equipped with two monitors, 
one on each side of the room, for audience viewing. 

D) WITNESS MONH’OR - A monitor will also be in place in front of the witness table so 
witnesses can see the screen, as well. 

Computer- Ba.sed Presentation 

Please bring yoiu presentation on a memory stick (flash drive, thumb drive) or on your personal 
laptop to the hearing room at least a half-hour before the hearing so that we may help you set it 
up at the witness table. If you bring your presentation on a laptop, your laptop should be 
equipped with a functioning graphics port with either a VGA or MAC external connector. 
Because there are many makes and models of laptops, please be prepared to operate the external 
graphics port for your own laptop. 

Audiovisual/Multimedia Capabilities 


A) The room supports the following transmission methods to broadcast committee activities to 
remote sites: 

1. Telephone Conferencing (Audio Only). 

2. Live Audio-Video Streaming (Webcasting). 

3. Video Teleconferencing. 

4. Video and Audio overflow transmission to room 2325. 

B) The room receives House Cable TV feeds for display. 

C) The hearing room equipment can playback and display compact discs, dvd discs, and 
overhead slides. 

Equipment Support 

Questions should be directed to David Llartzler at david.hartzier@mail.house.gov . 
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Enclosure 3 


Instructions for Completing the Truth-in-Testimony Disclosure Form 


In General. The accompanying form is intended to assist witnesses appearing before the 
Committee on Science, Space, and Teclmology Subcommittee on Oversight in complying with 
Rule XI, clause 2(g)(5) of the Rules of the House of Representatives. The rule requires that: 

In the case of a witness appearing in a nongovernmental capacity, a written statement 
of proposed testimony^ shall include a curriculum vitae and a disclosure of the amount 
and source (by agency and program) of any Federal grant (or subgrant thereof) or 
contract (or subcontract thereof) received during the current fiscal year or either of the 
two previous fiscal years by the witness or by an entity) represented by the witness. 

Such statements, with appropriate redactions to protect the privacy of the witness shall 
be made publicly available in electronic form not later than one day after the witness 
appears. 


Please complete the form in accordance with these directions. 

1 . Name (Item 1 on the form). Please provide the name of the witness in the box at the top of 
the form. 

2. Governmental Entity (Item 2). Please check the box indicating whether or not the witness 
is testifying on behalf of a government entity, such as a Federal department or agency, or a 
State or local department, agency, or jurisdiction. Trade or professional associations of 
public officials are not considered to be governmental organizations, 

3. Nongovernmental Entity (Item 3). Please check the box indicating whether or not the 
witness is testifying on behalf of an entity that is not a governmental entity. 

4. Entity(ies) to be Represented (Item 4). Please list all entities on whose behalf the witness 
is testifying. 

5. Grants and Contracts (Item 5). Please list any Federal grants or contracts (including 
subgrants or subcontracts) that the witness personally or file entity the witness is 
representing has received from the Federal Government on or after October I, 2010. 

6. Representational Capacity (Item 6). If the answer to tlie question in item 2 is yes, please 
characterize tlie capacity in which the witness is testifying on behalf of the entities listed in 
item 4. 

7- Affiliated Entities (Item 7). Please indicate whether the entity on whose behalf the witness 
is testifying has parent organizations, subsidiaries, or partnerships that are not represented 
by the testimony of the witness. 

8. Grants and Contracts (Item 8). Please disclose grants and contracts as directed. 

9. Submission. Please sign and date the form in the appropriate place. Please submit this 
form with your written testimony. Please note that under the Committee’s rules, copies of a 
written statement of your proposed testimony must be submitted before the commencement 
of the hearing. To the greatest extent practicable, please also provide a copy in electronic 
fennat, preferably in searchable pdf format. Written testimony and the Truth-In-Testimony 
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disclosure form will be made publicly available and posted on the Committee’s website. 
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Enclosure 3 


Committee on Science, Space, and Technology 
U.S. House of Representatives 

Witne$s Disclosure Requirement - "Truth in Testimony" 
Required by House Rule XI, Clause 2(g)(5) 


1. 

Your Name: 



2. 

Are you testifying on behalf of the Federal, or a State or local 
government entity? 

Yes 

No 

3. 

Are yon testifying on behalf of an entity that is not a government 

entity? 

Yes 

No 

4. 

Other than yourself, please list which entity or entities you are representing: 


5. 

Please list any Federal grants or contracts (including subgrants or subcontracts) that 
vou or the entity vou renresent have received on or after October 1, 2010; 

6. 

If your answer to the question in item 3 in this form is “yes,” please describe your 
position or representational capacity with the entity (ies) you arc representing: 

7. 

If your answer to the question in item 3 is “j'es,” do any of the 
entities disclosed in item 4 have parent organizations, subsidiaries, 
or partnerships that you are not representing in your testimony? 

■ 

No 

8. 

If the answer to the question in item 3 is “yes,” please list any Federal grants or 
contracts (including subgrants or subcontracts) that were received by the entities listed 
under the question in item 4 on or after October 1, 2010, that exceed 10 percent of the 
revenue of the entities in the year received, including the source and amount of each 
grant or contract to be listed: 


I certify that the above information is true and correct. 

Signature: Date: 
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THE WHITE HOUSE 

WASHINGTON 


October 10, 2014 


The Honorable Lamar Smith 
Chairman 

Committee on Science, Space, and Technology 
U.S. House of Representatives 
Washington, DC 20515 

The Honorable Paul Broun 
Chairman 

Subcommittee on Oversight of the 
Committee on Science, Space, and Technology 
U.S. House of Representatives 
Washington, DC 20515 

Dear Chairmen Smith and Broun: 

i write in response to the Committee on Science, Space, and Technology’s continued 
interest in information concerning the heatthcare.gov website and former United States Chief 
Technology Officer Todd Park, including the subpoenas for documents issued on September 19, 
2014. Before the Subcommittee on Oversight authorized issuance of the subpoenas, the Office 
of Science and Technology Policy (OSTP) produced more than one thousand pages of 
documents to the Committee and stated it was willing to produce additional documents 
voluntarily. In addition, Mr. Park attended a meeting with both of you in June to answer any 
questions, and he also offered to appear again and answer questions at a hearing in November. 
Despite these efforts to address the Committee’s interests, the Subcommittee on Oversight 
elected to authorize the issuance of .subpoenas. 

The subpoenas issued by the Committee are quite broad. For nearly a year, the 
Committee con.sistently articulated its oversight interest in healthcare.gov as a desire for 
information about the mea.sures in place to defend the HealthCare.gov website against malicious 
cyber attacks and to safeguard the personal data of Americans.' The subpoena resolution 


‘ See, e.g . , Letter fi'oni the Hon. Lamar Smith, Chairman, Committee on Science, Space, and Technology, to Todd 
Park, Assistant to the President and United States CTO (October 3i, 2013), at I (Mr. Park should address “what 
specific security standards and technical measures are in place to protect Americans’ privacy and personal 
information that passes through the Healtbeare.gov website, and what specific steps are in place to mitigate 
scenarios in which the system is hacked, or personal information is compromised or leaked.”); Letter from the Hon, 
Lamar Smith, Paul Broun, M.D., and Larry Bucsbon, M.D., to the Hon. John P. Holdren, Director, Office of Science 
and Technology Policy (December 20, 20 1 3) (referencing a Committee hearing in November of that year to examine 
the risks that online criminals and identity thieves might pose if they gained access to customers’ personal 
information); 1 60 Cong. Rec. H4953 (daily ed. May 29, 2014) (statement of Rep, Broun) (“It also turns out that a 
co-chairman ofthis Obamacare website Steering Committee is the U.S. Chief Technology Officer in the While 
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memorandum prepared for the Oversight Subcommittee, in a section discussing the questions 
that remain, makes clear that the Subcommittee sought “to have subpoenas issued to Mr, Park in 
order to compel his records and his appearance before the Oversight Subcommittee to answer 
questions regarding the security of the website . . . The press release issued by the Cornmittee 
after the vote to authorize the subpoenas, entitled “Subcommittee Votes to Subpoena Todd Park 
on White House Role in HealthCare.gov Security,” continued to emphasize the Committee’s 
interest in security.^ 

The actual terms of the Committee’s subpoenas, however, extend well beyond the 
Committee’s articulated interest in the security of the website. The subpoenas’ broad demands 
for the production of records “related to the HealthCare.gov website” intrude on Executive 
Branch interests, particularly in light of the substantial resources required to gather and review 
many documents that would appear to be of little, if any, oversight interest — for instance, news 
articles that simply mention HealthCare.gov or other materials unrelated to the security measures 
in place to protect the website. 

As evidence of OSTP’s continued desire to foster a productive working relationship with 
the Committee, however, enclosed with this letter are 5.613 pages of documents that are 
responsive to the terms of the subpoenas as WTitten. OS'fP will continue to review and produce 
additional documents on a rolling basis to speed the Committee’s access to information. At the 
same time, I continue to encourage your staff to contact ray staff to engage in the traditional 
process of dialog and accommodation that would allow us to explore ways in w'hich the 
Committee might prioritize or narrow its requests for information and allow us to more 
efficiently work to satisfy the Committee’s particularized information needs. 


Sincerely, 

W. Neil Eggleston 
Counsel to the President 



House Office of Science and Technology Policy, Mr. Todd Park. Upon learning this, I, as chairman of the 
Oversight Subcommittee, along with full Committee Chairman Smith, and Research and Technology Subcommittee 
Chairman Dr. Bueshon, sent a December 20, 2013, letter to the White House requesting that Mr. Park make him.self 
available to the committee to answer questions regarding the security issues with heallhcare.gov by Januar>' 1 0.”). 

^ Memorandum from Oversight Subcommittee Staff to Members and Staff of the Science, Space, and Technology 
Subcommittee of Oversight (Sept. 12, 2014), at 6. 

Subcommittee on Oversight of the Committee on Science, Space, & Technology Press Release, '‘Subcommittee 
Votes to Subpoena Todd Park on White House Role in HealthCare.gov Security,*’ Sept. 17, 2014 (“The Committee 
has invited Mr. Park to testify before us on five different occasions on his knowledge of privacy and security matters 

relating to the Affordable Care Act website, HealthCare.gov Additionally, recent reports about a succes.sful 

hack of the website have further raised the stakes on the need to ensure Americans who log on to HealthCare.gov 
later this year are safe from cyber criminals.”). 


2 
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Enclosure (documents Bates numbered 0001108-0006720) 

cc; The Honorable Eddie Bernice Johnson 
Ranking Minority Member 
Committee on Science, Space, and Technology 

The Honorable Dan Maffei 
Ranking Minority Member 
Subcommittee on Oversight 
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THE WHITE HOUSE 

WASHINGTON 


October 31, 2014 


The Honorable Lamar Smith 
Chairman 

Committee on Science, Space, and Technology 
U.S. House of Representatives 
Washington, DC 20515 

The Honorable Paul Broun 
Chairman 

Subcommittee on Oversight of the 
Committee on Science, Space, and Technology 
U.S. House of Representatives 
Washington, DC 205 1 5 

Dear Chairman Smith and Chairman Broun: 

I write in furtlier response to the Committee on Science, Space, and Technology’s interest 
in information concerning the healthcare.gov website and former United States Chief 
Technology Officer Todd Park. The Office of Science and Technology Policy (OSTP) has 
produced over 6,500 pages of documents to the Committee to date. As requested, we also 
arranged for delivery to the Committee of 1 ,324 pages of documents sent or received by Todd 
Park from among the 130,000-plus pages of documents produced to Congress by the Department 
of Health and Human Services concerning healthcare.gov. To further accommodate your 
articulated interest, Mr. Park attended a meeting with both of you in June to answer any 
questions. OSTP has also repeatedly offered to have Associate Director Patricia Falcone testify 
at a Committee hearing on cybcrsecurity policy issues. Mr. Park also had voluntarily agreed to 
testify at a hearing next month before you issued an unnecessary subpoena to compel his 
attendance. 

Enclosed with this letter are an additional 1 ,857 pages of documents that are responsive 
to the document subpoenas issued by the Subcommittee. In producing these materials, OSTP has 
made an effort to respond to the priorities articulated in discussions with Subcommittee staff. In 
addition to the materials produced with this letter, I invite your staff to contact Lamar Baker and 
Nicholas McQuaid of my staff next week to discuss how w'e might make further 
accommodations, including the possibility of in camera review, for documents identified during 
the review of records thus far that implicate long-recognized Executive Branch confidentiality 
interests. The ability to tailor appropriate accommodations would be aided by an explanation 
from the Committee of whether there exists a particularized need for such documents in light of 
the Committee’s stated interest in the security measures in place to defend the healthcare.gov 
website against malicious cyber-attacks and to safeguard tlie personal data of Americans. 
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With the nearly 10,000 pages of documents the Committee has now received, Mr, Park’s 
testimony in November, and the other efforts OSTP has made, much has already been 
accomplished to meet the Committee’s articulated interest. OSTP wiU continue to work to 
accommodate the Committee’,s request in a manner that takes into account relevant time 
demands and tlie scheduled hearing date in November. To that end, in its review and processing 
of remaining documents that may be responsive to tire very broad subpoenas issued by the 
Committee, OSTP intends to focus on materials created after October 1, 2013, that concern the 
security of healthcare.gov. OSTP expects to be in a position to make a next production of 
documents that includes such materials within two weeks. After the Committee receives those 
additional documents, oui respective staffs will be in a better position to discuss any remaining 
legitimate interest in Mr. Park’s role with respect to healthcare.gov and how best to 
accommodate any such interest consistent with the duties and responsibilities of the Executive 
Office of the President, 



Enclosure (documents Bates numbered 0006721-0008577) 

cc: The Honorable Eddie Bernice Johnson 

Ranking Minority Member 
Committee on Science, Space, and Teclmology 

The Honorable Dan Maffei 
Ranking Minority Member 
Subcommittee on Oversight 


2 
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THE WHITE HOUSE 

WASHINGTON 

September 16, 2014 


The Honorable Paul Broun 
Chairman 

Subcommittee on Oversight of the 
Committee on Science, Space, and Technology 
U.S, House of Representatives 
Washington, DC 20515 

Dear Chairman Broun: 

1 understand that last Friday the Committee on Science, Space, and Technology’s 
Subcommittee on Oversight (the Subconunittee) noticed a September 17, 2014, business meeting 
to consider issuing two subpoenas. As described in the notice, the Subcommittee will consider 
whether to issue a subpoena for Todd Park to appear at a hearing before the Subcommittee, and 
whether to issue a subpoena for the production of some of Mr. Park’s records, during his former 
tenure in the Office of Science and Technology Policy (OSTP) as United States Chief 
Technology Officer (CTO), relating to the healthcare.gov website. 

I write in advance of the Subcommittee’s meeting to ensure you understand that the 
issuance of these subpoenas is urmecessary. Mr. Park will appear voluntarily for a hearing 
before the Subcommittee on a mutually convenient date in November to discuss your expressed 
interest in the heathcare.gov website. OSTP is willing to produce additional documents — 
including the 102 pages proactively provided with this letter — to further accommodate your 
“efforts to examine the safety, security and privacy of Americans’ personal data through the 
Obamacare website.”' The remainder of this letter discusses OSTP’s efforts to cooperate with 
your oversight interests thus far, and OSTP’s continued willingness to do so without any need for 
subpoenas. 

I understand that both the full Committee and the Oversight Subcommittee have 
articulated their interest in the security ofhealthcare.gov as a desire for information about the 
measures in place to defend the healthcare.gov website against malicious cyber attacks and to 
safeguard the personal data of Americans. When Chairman Smith initially wrote to Mr. Park to 
express interest in healthcare.gov, the letter asked Mr. Park to address “what specific security 
standards and technical measures are in place to protect Americans’ privacy and personal 
information that passes through the Healthcare.gov website, and what specific steps are in place 
to mitigate scenarios in which the system is hacked, or personal information is compromised or 


‘ Letter from the Hon. Lamar Smith, Paul Broun, M.D., and Larry Bucshon, M.D,, to the Hon. John P. Holdren, 
Director, Office of Science and Technology Policy (December 20, 2013) [hereinafter “December 20 Letter”], at 3. 
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leaked.”^ An email from Committee staff to OSTP at about the same time expressed interest in 
cybersecurity issues more generally, including a cybersecurity policy report that OSTP Associate 
Director Patricia Falcone helped prepare.^ In the same vein, your December 20, 2013, letter to 
OSTP referenced a hearing the Committee held in November of that year to examine the risks 
that online criminals and identity thieves might pose if they gained access to customers’ personal 
information.'* And more recently in January of this year, the Committee continued its focus on 
the standards and technical protocols in place to defend against malicious cyber attacks in a 
second hearing convened on the same topic with “white hat” hackers as witnesses.^ 

From the outset, OSTP has been clear about the limitations both it and Mr. Park face in 
attempting to respond to the requests for information and testimony concerning these issues 
involving the development of security standards and the design of scenarios to respond to 
malicious intrusion attempts. As noted several times in prior correspondence, primary 
responsibility for those tasks lies elsewhere — with the Centers for Medicare and Medicaid 
Services (CMS) — and it is CMS that is in the best position to provide complete, current, and 
accurate information regarding the security protocols in place to protect the website. 
Nevertheless, the record reflects that OSTP has made substantial efforts to try to accommodate 
the Committee’s interest in security and to clarify Mr. Park’s role. 

OSTP has produced more than one thousand pages of documents; offered on multiple 
occasions to have Associate Director Falcone testify at a Committee hearing on cybersecurity 
policy issues; made Mr. Park available for a meeting with you and Chairman Smith in your 
office, where Mr. Park was willing to address any questions put to hiiri; and offered to have Mr. 
Park brief all Subcommittee members. Through these substantial efforts at accommodation, 
OSTP has attempted to help the Committee better understand Mr. Park’s actual duties as the 
United States CTO and his role with respect to heallhcare.gov. 

In particular, regarding the documents you have received, your letter of December 20 
asked OSTP to produce a very broad set of materials, including all OSTP records concerning the 
Affordable Care Act and healthcare.gov, scheduling information, records concerning internal 
White House briefings, and even documents that had not been created but might conceivably be 
provided to Congress in the future.* Confronted with this broad request and a short deadline in 
the December 20 letter for responding, OSTP focused its efforts to provide information on the 
issue that was plainly of particular interest to the Committee, namely, Mr. Park’s participation as 
one of three co-chairs on the healthcare.gov Interagency Steering Committee. Your December 


^ Letter from the Hon. Lamar Smith, Chairman, Committee on Science, Space, and Technology, to Todd Park, 
Assistant to the President and United States CTO (October 31, 2013), at 1. 

^ Email from H. Comm, on Science, Space, & Technology Majority Staff to OSTP staff (Oct. 28, 2013, 5:42 p.m.) 
(“I suspect we would touch on related issues raised and addressed in the ‘Cyberspace Policy Review’ and the Dec 
201 1 report ‘Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development 
Program,’ both of which were referred to in Dr. Holdren’s testimony before the Committee in a full committee 
oversight hearing on June 20, 2012.”) 

■* December 20 Letter, at 1 (“The expert witnesses at our hearing outlined the significant risk of identity theft to 
Americans if hackers gained access to their personal information.”). 

^ Hearing Before the H. Comm, on Science, Space, d Tech., 113th Cong. (January 16, 2014) [hereinafter, January 16 
Hearing]. 

'■ December 20 Letter at 3. 
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20 letter focused on this Steering Committee and its security and privacy subgroup — even going 
so far as to attach a draft charter for the Steering Committee.’ 

Accordingly, in its January 15, 2014, response, OSTP described the documents it was 
producing: those concerning the Steering Committee and other interagency meetings that made 
reference to security, which appeared to be of special interest to the Committee.® OSTP’s 
January 1 5 letter also explained the interagency coordination function the Steering Committee 
served, Mr. Park’s role in it, and why his participation was not an indication that he had 
substantial knowledge or expertise concerning the standards or technical protocols for dealing 
with malicious intrusions that are the focus of the Subcommittee’s oversight inquiry. In the eight 
months following OSTP’s production of these documents, the Subcommittee expressed no 
continued interest in receiving additional documents, nor did it raise any questions concerning 
the Steering Committee materials provided. Thus, you can imderstand why the abrupt notice of a 
business meeting to consider a subpoena for documents came as a surprise. 

Despite OSTP’s efforts at accommodation, it seems that the push to issue subpoenas this 
fall may unfortunately reflect a continued irrisimderstanding of Mr. Park’s involvement in the 
security of the healthcare.gov website. This letter therefore provides additional information, 
namely, additional OSTP documents beyond those already provided concerning the Interagency 
Steering Committee, concerning Mr. Park’s limited involvement in the security aspects of the 
website, which are primarily handled by CMS. The enclosed documents can be grouped into 
three categories. 

First, in an extension of his role with the Steering Committee, Mr. Park, and his other co- 
Chairs were occasionally asked to assist in instances when White House personnel made requests 
to officials at HHS and CMS. One instance when such assistance was sought involved a request 
for a meeting on user credentialing and identity-proofing from National Security Staff and Office 
of Management and Budget officials. The documents themselves make clear that although the 
particular request for assistance was made fi-om CMS officials to Mr. Park, it was another co- 
Chair who provided assistance in addressing that request.’ 

Second, Mr. Park was asked on a small number of occasions to assist in obtaining 
information from CMS and HHS personnel responsible for security of the website. In that role, 
Mr. Park asked HHS and CMS officials to develop background points describing the 
cybersecurity protections and helped coordinate follow-up conversations between the HHS and 
CMS officials and cybersecurity experts both inside and outside the government. Again, the 
emails themselves show that Mr. Park was not directly familiar with the development of 


^ See also January 16 Hearing (statement of Rep. Paul Broun, M.D.) (“It’s probably [sic] the oversight committee 
of — subcommittee of this committee’s attention that there is — or at least was [an] Affordable Care Act information 
technology exchanges steering committee [chaired] by senior White House officials established back in May 2012, 
almost a year and a half before the roll out ofHealthcare.gov.”). 

® Letter from the Donna Pignatelli, Director, OSTP Legislative Affairs, to the Hon. Lamar Smith, Chairman, 
Committee on Science, Space, and Technology (January 15, 2014) [hereinafter January 15 Letter], at 3. At 
Chairman Smith’s request, OSTP also produced all documents that it had at that point provided to the Committee on 
Oversight and Government Reform. 

^ Email from Steven VanRoekel to J. Michael Daniel, et al. (Apr. 12, 2013, 3:25 p.m.), enclosed. 
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cybersecurity defenses in place, but instead served as an intermediary and relied on the HHS and 
CMS officials to provide the substance of the information he then passed on to others.’® 

Third, shortly before the first open enrollment period, Mr. Park also served as a liaison 
with cybersecurity officials at HHS and CMS in connection with efforts to explain publicly the 
cybersecurity protections for the health insurance marketplaces. This “spokesman” function is 
one Mr. Park performed from time to time as CTO with respect to technology issues generally. 
Importantly, the enclosed emails again confirm that Mr. Park was not speaking from direct 
personal knowledge or experience on cybersecurity — before participating in a press call, he 
solicited the relevant information from CMS cybersecurity personnel and sought to have them 
participate in the call given his relative lack of familiarity with cybersecurity issues.*’ 

The information provided in and with this letter is consistent with what OSTP has 
previously explained: that CMS is best positioned to address the Subcommittee’s questions 
regarding the security of the website and that Mr. Park has not been substantially involved in 
developing or managing the “specific security standards and technical measures ... in place to 
protect Americans’ privacy and ^personal information that passes through the Healthcarc.gov 

website ” More importantly, if the Subcommittee desires additional information, there is no 

need to resort to subpoenas. Mr. Park will be pleased to testify at a Subcommittee hearing in 
November. OSTP is also actively searching for additional records that may further illuminate 
Mr. Park’s relatively minor role on cybersecurity issues and is willing to voluntarily produce 
additional documents to aid the Subcommittee’s inquiry. Please simply have your staff 
communicate the Subcommittee’s priorities in that regard to OSTP. 


Sincerely, 

W. Neil Eggleston 
Counsel to the President 



Email from Todd Park to Tony Trenkle, et al. (Sept. 2, 2013, 1:14 p.m.), enclosed (“Hi Tony, many apologies for 
interrupting your Labor Day, but can you help Chris with his follow-up question below (reference to ‘current federal 
standards and how they exceed private sector as well as track record of protection from attacks’).”). 

“ Email from Todd Park to Tony Trenkle, et al. (Sept. 17, 2013, 9:54 p.m.), enclosed C‘l've let Jessica know that 
you guys are the font of detailed lcno>vledge on CMS/HHS cyber and Aatl can talk to it at a general level only - she 
thinks that will be OK. on the call tomorrow, with detailed questions to be referred to agencies.”). 
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cc: The Honorable Lamar Smith 

Chairman 

Committee on Science, Space, and Technology 

The Honorable Eddie Bernice Johnson 

Ranking Minority Member 

Committee on Science, Space, and Technology 

The Honorable Dan Maffei 
Ranking Minority Member 
Subcommittee on Oversight 
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Hearing documents submitted by Majority staff 


From: 

Sent: 

To: 

Subject: 


Park, Todd 

Thursday, April 11, 2013 4:58 PM 

VanRoekel, Steven 

RE: Coordination on ACA 


Hey brother, thanks so much for the note and the chat! Many apologies for not staying in tighter sync with you on this 
will make sure we stay in close sync going forward. 

Laura is rescheduling the site visit to happen in the next week or two, and we're going to have our ACA Next Steps 
meeting tomorrow with our smaller circle of WH folks to discuss the red team results and recommendations further 
(you'll see how unfiinchin giy clear-eyed and paranoid the red team was, as red teams need to bei} and also to discuss 
the path forward on the interagency steering committee (which sounds tike it has already evolved into its ideal form 
going forward). 

And then separately, Laura is also setting up more 1 to 1 time for you and me to talk about how we optimally coordinate 
across our joint portfolio, As a hint of coming attractions, you're going to need to stay involved in ACA © 

It is absolutely awesome to be your teammate, and I truly treasure the incredible collaboration -for-the-public-gocd 
we've forged across our offices, which I really do think of as a single team. May the double helix of awesomeness 
continue, and may the Force continue to be wi th us © 

Todd 


From: VanRoekel, Steven 

Sent: Thursday, April 11, 2013 2:31 PM 

To: Park, Todd 

Subject: Coordination on ACA 


Todd, On ACA - 1 am hearing some feedback from both inside and outside the building about briefings to the President 
next week, coordination on a "Red Team" with CMS, suggestions that we cancel the steering committee meeting, 
suggestion that f not do a CMS visit tomorrow, and more. These raise concerns fo r me because when it's time to publicly 
deliver on ACA, I will be the one called to the Hill to testify and, per my statutory authority, will be held accountable for 
the successful delivery of this project. I anticipate there being increased Congressional scrutiny on the FFE as we move 
forward, This is just as critical to the legacy of many Congresspeopie as it is to the President, and that will raise the 
likelihood of oversight hearings. 

i am not trying to land grab in anyway, ! just worry that we are un coordinated here, and that given your history and 
closeness with HHS, you are not hearing what I am hearing from the budget people in 0MB, other agencies (other than 
CMS} and the private sector that CMS is not being inclusive and is not leading a coord inated effort that will lead to 
success. I am also worried that you getting a too -CMS-centric pictu'e. 

i would love nothing more than this not to be the case, to be assured ACA implementation is on a path we want it to be 
on, and that existing efforts wli I deliver what we want. 

Lthinkwe should, as our r>ext meeting on ACA, sit down, without staff, and have a 1:1 to talk about how we coordinate 
going fonvard, 

1 
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Programs of this type ideally have a sequential planning, design, and 
Implementation process with significant testing and revision 
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Description of idoal sHuaUon: Current situation: 
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* Scqucnrisl requirements, design, build, and testing 

* ilc-raSion and tcvision phases 

• End-to-eod inlegtalcd operabons and H testing 

• limited initial launch 


' Wutt-pte detirsiitoffS ot success 

• Significant ctepetvdency'- on external parties/ 
contractors 

“ Parallel sladdng' of alt phases 

• Ifiyt/fic-ea! time and scope of erid-lo cnd leslirg 
" Launch Qt fuS volume 


CMS Irat boon wotidng to mttlgsui challeng»» 
resulting from propThTn ch»f ctcflsticn 
CorffOeertiti tmd Pnpfi*WY—Pr9-^isjOA»J infomaston 


ECfOOOS 


157 


Centers for Medicare & Medicaid Services 



Sent: Friday, August 23, 2013 11:18 AM 
To: Chao, Henry (CMS/015) ■ 

Cc: Mielke, Dawn M.; Graubard, Vivian 
Subject: Calling Red Hat 

Hey brother, great to speak with you this morning - just wanted to let you know that I could be avaiiabie to call Red Hat 
at 1 pm or between 3 to 4 pm.,.. Might that work for you? I get on a flight at 5 pm - but can totally delay that if 
needed..,. Just let me know, thanks! 

Todd 
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Toi 
Cc; 
Federal)! 

From: 

Sent; 

Subject 


Gouts, Todd (CMS/01S)(| 
Caiem, Maf1< (CGI Federal' 


|i Weiss, Paul (CGi 


Manambedu; Laks'hmi (GUi Federal) 
Fri 7/12/2013 6:11:47 PM 
RE; Need a write up for Todd 


Day One Capabilities - Priority and Risk - 20130712.dQCx 


Hi Todd, 


Attached is what I have for E&E. You may be able to extract the major ones from this. 
In terms of otlier major milestones between Oct I and Jan 2014 are; 

Enrollment Reconciliation - December 2013 
Exemptions Applications - December 2013 

Payment to Issuers - 3’^'^ week of January 2014 


Thank you 

Lakshmi Manambedu j Vice President, CGI Federal j ^bile;^|||H|||HP www.cai.com 


r Donohoe, Paul X. (CMS/OIS); 


From: Chao, Henry (CMS/OIS) [mallto:henry.chao(§ 

Sent: Friday, July 12, 2013 12:50 PM 
To: Manambedu. Lakshmi (CGI Federal); Karlton Kim (kkirn^ 

Couts, Todd (CMS/OIS): Rhones, Rhonda D. (CMS/OIS) 

Cc: Oh. Mark U. (CMS/OIS); Berkley, Katrina (CMS/OIS): Couts, Todd (CMS/OIS): Rhones, Rhonda D. 
(CMS/OIS); Grothe, Kirk A, (CMS/OIS) 

Subject: Need a write up for Todd 
Importance: High 


This is for sources material for Todd Park to pick nuggets from in his prep for briefing POTUS 
next week. 


So the write-up which are senteuce(s) in bullet format needs to cover: 


Contains Sensitive and Proprietary Business Information - Maintain as Confidential 
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•UiXOlXiCD The A-Z of testing by partner (Issuer, # of Issuers, State programs, types of 
Marketplace, approatii (waves, fi^ess, DE, 834/eiiroIlmeiit, etc.), and hi^ level schedule. 

•ilir iTi nnn Overall list of key activities to be accomplished and risks for Day one (remaining 
80 days) and Day ones for other major lifts prior to Day one of tJie benefit and the start of the 
benefit. 


Please use material we have already like the deck that we used for SVR and updated another 
version for Mariiyn/OL a few days ago. 


Remember that bullets should not be written to be used to create more questions. 


Rhonda and Todd — please collect, format, and send to me by COB today. 

Henry Chao 

Deputy CIO & Deputy Director, - ^ -i 

Office of Information Services 

Centere for Medicare & Medicaid Services 



Contains Sensitive and Proprietary Business Information - Maintain as Confidential 
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From: 

Sent 

To: 

Subject 


Snyder, Micheiie (CMS/OA) 

Sunday, September 29, 2013 622 PM 

Park, Todd 

Re; Discussion points 


Just so you know she decided in January we were going no matter what - hence the realty cruel and uncaring march that 
has occurred since January when she threatened me with a demotion or forced retirement if ! didn't take this on -do 
you really think she has enough understanding of the risks to fight for a delay - no and heil no - for just one moment let's 
be honest with each other. } appreciate you belief In the goodness of others but at this point! am too tired to pretend 
there is a decision to be made - it is Just how much crap my team will have to take if it isn't sufficiently successful -you 
haven't lived through the temper tantrums and threats for the la^9 months. 

OK - that felt good - - am now back to my role as no comment cMI servant 

Delete this after reading - promise 

M 


Sent from my BlackBerry Wireless Device 


— Original Message — 

[mailto:|||||||||||||||||||||||||||^^ 

Sent: Sunday, September 29, 2013 05:54 PM 
To: Snyder, Micheiie (CMS/OA) 

Subject: RL' Discussion points 

Yes, got It. On thecal! with MT, Chris, and Jeanne, MTsaid that she appreciates the additional Info we will generate 
tonight, but that she and she alone will make the decision to go or not - which of course ts right And the way she is 
thinking about it from a performance standpoint is that If enough of the additional hardware gets online to give us an 
insurance policy, she is comfortable proceeding, with 90,000 concurrent users being far beyond the 50,000 that was t he 
CMS target 

Because new hardware is going live on a rolling basis today and tomorrow, ! think we are in very good shape on the 
hardware front - and because the Miami equipment got here so early today; we’ve got a good shot at that being live 
and helping us get to 90,000. 

Will be good tonight as per one of the questions for the 9 pm to get people's guesstimate of what kind of traffic in 
gerreral (order of magnitude) would be associated with a 90,000 concurrent user scenario. Just so MT has that. 

And will also be good to understarrd the EIDM situation a bit better to see if that is a separate bottleneck with a lower 
concurrent userthreshold? And if that's a possible threat to monitor. Again, justtotnfonD MT. 

Going to deliver cupcakes now :) 


— Original Message — 

From: Snyder, Micheiie (CMS/OA) [mailto: 
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Because new hardware is going live on a rolling basis today and tomorrow, I think we are in ve/y good shape on the 
hardware front - and because the Miami equipment got here so early today, we've got a good shot at that being live 
and helping us get to 90,000. 

Will be good tonight as per one of the questions for the 9 pm to get people's guesstimate of what kind of traffic in 
genera! [order of magnitude) would be associated wltha90,000concurrent user scenario, just so MT has that 

And will also be good to u nderstand the EIDM situation a Wt better to see ifthat is a separate bottleneck with a lower 
concurrent user threshold? And if that's a possible threat to monitor. Again, just to Inform MT. 

Going to deliver cupcakes now ;) 


— Original Message — 

From; Snyder, Michelle (CM5/OA) Iniaiito:|||||||||^|||||||[||||^^ 

Sent: Sunday, September 29, 2013 4:02 PM 
To: Park, Todd 

Subject: Re: Discussion points 

These are helpful but we are going live oneway or another. MT has made it clear to me that that question Isn’t on the 
table. It is more knowing how to message what won't work 

M 


Sent from my BlackBerry Wireless Device 


— Original Message — 

[mailto :|mi||P[||||^^mi|||H|| 

Sent; Sunday, September 29, 2013 02:42 PM 
To: Snyder, Michelle (CMS/OA) 

Subject: Fw: Discussion points 

Hi M, just sending this to you so I don't distract folks In mid -flight this afternoon. On load/performance, It will be very 
helpful at the end of the day for you to do a gutcheck -- with Henry and pave and whomever else they'd like to Include 
(I'm happy to Join as well} -- to net out where we are, make an educated guess about what is likely to happen on Oct 1, 
and recommend to Marilyn that we go/no go. I'm sure you have already thought this through, but here's a sample "logic 
path" to talk through with Henry/Oave and team, building on the questions from the earlier email (I know you're 
hyperfocused on other items tike call center right now, so I thought I might prep this for you at least as a d raft): 

-- Does the performance testing that the team has done give you confidence that the FFM can handle 21,000 
concurrent users with existing hardware and about90,000concuiTent users with the new hardware added —with great 
user response times? What might the holes be In terms of our knowledge of system perfor mance? 

-- Where are we in the installation and activation of the new hardware? How confident are we that all of It will be 
online and ready by Monday CDB? 

- Confirm that the 90,000 concurrent user figure means that literally 90,000 people can be hitt Ing the exact same 
keystrokes, doing the exact same thing, stressing out the exact same precise part of the FFM, at the exact same time 
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- Confirm that what for sure doesn't impact the FFM's ilinctlonarrty or access is If there happens to be a lillion ot her 
people hitting the homepage/"Learn about the Marketplace" pages on HeaithCare.gov at that same moment, because 
it's technically separate from the Get Insured workflow. (And you should confirm that the homepage/'learn" pages on 
HCgovare ready for an onslaught (including Akamai caching)) 

- Question: while 90,000 users in the FFM functionality itself are all doing the exact same thing to the FFM in a single 
unified punch at the same millisecond, what can other usere In the FFM workflow be doing? Can many others be "in 
between" clicks i.e., reading a page, filling out fields on a webpage before hitting submit, surveyingtheir plan options? 
What is our even rough intuitive sense about if others can also be actively exercising different parts of th e FFM 
different clicks on different functionality? 

- Based on the above and what we might guesstimate about Day 1 use patterns, what kind of overall total FFM user 
volume for Day Ido we think Is supportable If we can support 90,000 concurrent FFM w orkflow users? {This is 
obviously going to be a swag, because it's hard to predict distribution of visits over the course of the day, but 
Dave/Henrymay have some instincts about this based on past experience) 

- What happens after the 90,000. concurrent userthreshdd is reached? Is there gradual degradation of response time 
for users? Rapid degradation? Immediate crashing? 

- What is your best p rofessional gut guess (based both on what you know and don't know) as to the percentage 
probability that the system will slow to unacceptable levels of performance, or crash entirely? (They may only really be 
able to give you a qualitative sense of this) 

- Should we go live on Oct 1? 

Again, just a suggestion/draft as to the logic path - feel free to shred/add items/delete items/change entirely :) 


— Original Message — 

From: Park, Todd 

Serrti Sunday, September 29, 2013 10:27 AM 
To: Snyder^ Michelle (CM5/OA) <| 

Bowen, Marianne (CMS/OA) < 

Subject: RE; Discussion points 


I*; Chao, Henry (CMS/OIS) <| 


HI Michelle, as your constgliere, I do recommend that you ask the questions betow - which are of course questions that 
Henry is already asking himself, but it would be good for you to know the answers as well :) 


And Henry, needless to say: work to actua lly continually make key tilings better takes absolute precedence over 
question answering :) 

And again, the only questions you should answer are from Michelle :) I've added her additional question and put it at 
the top of the recapped list below (and have also adjusted the numbers based on the update). She can pick from #2 
through #6 below and designate which ones she really cares about :) 


And iVe taken a shot at answering some of them (#2, #4, #5) based on my understanding from the brief discussion thi s 
morning — which Henry can correct as necessary: 


(1) Would it help to have someone like NGS help with the testing on ah ongoing basis? 
A: 
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From: 

Sent 

To: 

Subject: 


Park, Todd 

Sunday, September 29, 2013 7i3 PM 
' Mich si !e.Snyd er||||||||||[|[H|[m[| 

Re; Discussion points 


M, i think (knockon wood! !!! I!!) that you and team areactually goingtopuHoffthefeat ofthe century - a feat that will 
go down in history, and literally change the course of historylbr the better. No other team couid have possibly come 
close to what youVe done and are ddng. No one. 

We ail as Americans owe you and team an extraordinary debt of gratitude - for your Incredible Ingenuity, your deep 
sacrifice, your superhuman level of effort and focus, your extraordinary tenacity. You have my word that I will continue 
to do everything in my power to make sure everyone understands this in the months and years ahead, i knowy'af! are 
not chest-thumpers —that's part of what Hove about all of you •“ but I really do think that it's important for folks to 
understand how absolutely incredible you and team are, and I will continue to spread that understanding. 

Piease don't ever hesitate to ask me for anything I can do to be helpful on this or any other front - and if there Is any 
way for me to help celebrate the team - whether it be cupcakes :) ora meeting with POTUS (which 1 will start working 
on) 

Semper fi, and much love, 

Todd 


Original Message — 

From: Snyder, Michelle (CMS/OA) [maiito:| 
Sent: Sunday, September29, 2013 07:03 PM 
To: Park, Todd 

Subject: Re: Discussion points 


And 1 have kept this all from my team. Marianne and iim and Andi know about how bad it has been. The rest need the 
illusion - the four of us have none left 


M 


Sent from my BiackBerry Wireless Device 


— Original Message — 

From: Park, Todd (mailto:| 

Sent: Sunday, September 29, 2013 05:54 PM 
To: Snyder, Michelle (CMS/OA) 

Subject: RE: Di^ussion points 


Yes, got ft. On the call with MT, Chris, and Jeanne, MTsaid that she appreciates the additionalinfo we will generate 
tonight, but that she and she alone will make the decision to go or not - which of course Is right. And the way she is 
thinking about it from a performance standpoint Is that If enough of die additional h ardware gets online to give us an 
insurance policy, she is comfortable proceeding, with 90,000 concurrent users being lar beyond the 50,000 that was the 
CMS target 


I 
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Message 

From; Tavenner, Marilyn (CMS/OA) [/0=HHS EES/OU=FIRST ADMINISTRATIVE 

GROUP/CN=REClPIENTS/CN:=MARILYN.TAVENNER.CMS] 

Sent: 6/26/2013 9:55:47 PM 

Michelle (CMS/OA) [/0=HHS Ee5/OU=First 
Henry (CMS/OIS) [/0=HHS EES/OU=Firrt 

Administrative Group/cn~Recipients/cn=Henry.Chao.OS] 

CC: Khalid, Aryana C. (CMS/OA) r/0=HHS EES/OU=First Administrative Group/cn=Recipienls/cn=Aryana .Khalid .CMS] 

Subject: Re; Foilow-up 


Todd_Y_Parl4MBH|||||||||||||^^ 

Administrative Group/cn=Recipients/cn=Michelie.Snyder.CMS3; Chat 


Thanks Todd. Appreciate the help asalwaysi!!! 

From: Park, Todd 
Sent: Wednesday, 

To; Tavenner, Marilyn (CMS/OA); Snyder, Michelle (CMS/OA); Chao, Henry (CMS/OB) 

Sulgect: Foilow-up 

Hi Marilyn, Michelle, and Henry, 

After talking with Henry and team, ! spoke with Mark about the logo issue, and explained why attempting to add logos 
forOctober 1 is extremely unwise. He understands. He may want me to get on the phone with someone from the Blues 
so they fully understand it. I'm more than happy to do so on your behalf - this issue should not consume any more of 
your time. 

Marilyn, I'm also going to visit with Henry and team for one of our evening deep-dive sessions to get up to speed on the 
latest status of IT and testing - during the week of July 8. Michelle, Henry, and ! had a check-in call today, but I think 
that Henry is right that to really understand current status and next steps, there Is no substitute For an evening deep- 
dive. So I'll bring healthy food and snacks to Baltimore and camp out with Henry and team for a few hours © 

the best, 

Todd 


[maiih 
June 26,2013 05:34 PM 
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Both Julian and David took great pains to ask that the visit not be 
disruptive to your work - I think that the message to give y'all the 
space to rock and roll is spreading :) 

So i'm thinking a focused two-hour visit, in Baltimore, going thru the 
live workflow, and using high-level materials you already have. 

Would next week he best, or would the week after be better, or would 
either week be fine? I haven't yet pinged David and Julian for their 
availability, but wanted to see what was optimal for you first It would 
be good to combine both of their visits, to save you time. Thoughts on 
timing? 

Michelle, it would be terrific for you to join -- would be great for you 
to meet Julian and David, both of whom are terrific; and I've told both 
of them that you and Henry are pure awesomeness ;) 

Thanks! 

Todd 


Original Message 

From: Chao, Henry (CMS/OIS] 

Sent: Thursday, July 25, 2013 09:53 AM 
To; Park, Todd 
Cc; Oh, Mark U. (CMS/OiS) 



' cheryl, Cam pbell^ 
'Lakshmi.Manambedi. 


Couts,Todd (CMS/OIS) 
uterbridge, Monique (CMS/OIS) 

Grothe, Kirk A. (CMS/OIS) 

Berkley, Katrina (CMS/OIS) 

Rhones, Rhonda D. (CMS/OIS) 

; Graubard, Vivian; 

<rich.martit^ 



allace, Mary H. 
■; Booth, Jon 6. (‘CMS/OC) 


Subject: Walk through of the online application in hc.gov 


If you recall we had agreed to provide you a walk through and demo of the 
online application in its current form so you can get a chance to peek 
under the covers of hc.gov . 


HHS-0104905 


‘ Key Points ffiscussed 


_ _ __ 1_" H|ef J. ^ : 

dependencies from consent 

Workgroup Updates Marilyn Tavennerhas been engaged in the consent resolution conversations. 

» Details cannot be flushed out until these conversations are complete. 

• CMS has been ordered to awaitthe completion of these discussions before 
determining the necessary changes to the baseline schedule. 

Todd Park has been engaged In discussion on NIST Level 2 inter-mechanics. 

• CMS is moving forward with follovy^n^ ptis process, which represents SSA's 

understanding, as well. v. 


SSA is interested in unde 
integrated testing, as ^ 


downstream impact on the overall 


ngthe high-level decision, 


Scheduling 

• ' Highest risk to it^^ientation associated wi^^aiting the high-level decision, 

as opposed to bu^ ^^o r the wor^case scenarfdf^^ 

■ o Broad risk: Sc^^ile a^^^^lementation r^^^^uld be the largest 
^ncerns. The sr^^^^^esents a risk of a 2'4l^ek delay. 

must agre^^^the schedule risk is a priority and must find 
. the loi^^^from other areas, 

o {^^pndea?«|^q;-^hom thl^^^tary is In discussion with or what the 
_ ^ ‘I sti^^pfthe dt^souSaon IS XT'^' 

p Tearii^^oi^l^eretil^^^e simultaneous development between the 

Ik- iega*‘s^^§' the IT builWfthe higher level Issues were being 

-wll ■■ address^^e interagency team is not in full agreement on this issue. 
Slack like the teams to continue making technology 
j;.. progress 

■Xlaiipcatioii£it|entification Proofing vs. Consent 

Consen^|s^ legal issue, whereas, identity prooRng Is a solution and process that 
■ "4]meeds tolie'established. 

• is relying on the Privacy Act for legal authority on ID prooflng as there is 
It^e provided in thfe Act. 

^ o Legal team is currently working this issue, 
f'" O' Identity proofing would be built in as a process for verifying an 
individual's idenb'ty. 

• Previous decision to use two IRS challenge questions at the threshold has been 
reconsidered and is currently being discussed. 

. • Suggestion: A smaller group of key individuals may need to reconvene on this 
topic in 3-4 weeks including Marilyn because of her involvement with the 
scheduling. 


Integrated Project Plan 


The IPP needs to be addressed before focusing an the schedule 
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< 6rian.Cool^ mi^^^^ 'Michefle-Snyderf 

Subject; RE: Preventing Fraud in Marketplaces - WH bgckgrounS cali with media tomorrow? 


ITianksTodd-ifyour team could draft the cyber talking points, that would be very helpful. Thanks so much. 
We are still working on finalizing the paper but will share those with everyone as soon as they are ready. 


From: Park, Todd 

Sent: Tuesday, September 17, 201 3 7:22 PM 
To: Santilio, Jessica; 'tonv.trenkij 
Cc: Jones, Isabel; Mielke, Dawn M.; 'frank.baitma 
Subject; Re: Preventing Fraud in Marketplaces - WH 


I 'Brian.Cooki 
Background call with mi 


Michelie.Snvdei 
iomorrow? 


Thanks, Jessica. Tony and Frank, can you join via phone? You'll only be asked to help with the cybersecurity part of the 
cali ;) lam more than happy to deliver the primary talking points, which will focus principally on Marilyn's letter 
regarding Hub cybersecurity + the general points the three of us hammered out a while back. 


Jessica, are you putting together talking points for us, or would you like me to take a crack at them? 


Thanks, 

Todd 


From: Santillo, Jessica 

Sent: Tuesday, September 17, 2013 07:13 PM 

To; Park, Todd; TrenMe, Tony (CMS/OIS) 

Cc: Jones, Isabel; Mielke, Dawn M.;_Bailjnan, Frank (OS/ASA/OCIO) 



Cook, Brian T. 


; Snyder, Michelle (CMS/OA) \ 

R^ketplaces - WH background calf with'media tomorrow? 


Hi Todd - happy to have Tony and Frank Join us for the cyber security portion. 


On your first question - the call is on background according to “White House officials,” 

Thanks very much for making this work on such short notice. We will hold the call inEEOB 207. 1 will send 
around a calendar invite. 


Thank you again, 
Jessica 


From: Park, Todd 

Sent: Tuesday, September 17, 2013 6:14 PM 
To; Trenkie,Tony (CMS/OIS); Santillo, Jessica 

Cc: Jones, Isabel; Mielke, Dawn M.; Bartman, Frank (OS/ASA/OCIO); Cook, Brian T. (CMS/OC); Snyder, Michelle 
(CMS/OA) 

Subject: RE: Preventing Fraud in Marketplaces - WH background call with media tomorrow? 
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From: 

Fasching, Laura 

Sent 

Saturday, SeptBniba'28, 2013 10:47 PM 

To: 

Park, Todd; Chao, Henry (CMS/OB) 

Cc: 

Fasching, Laura 

Subject 

RE: How serious are you about using Homestead AFB to get the equipment to 
Culpeper? 


Giadtoheip, fetmeknow ifyou need anything elsegentlemen © 
Laura 


Laura rasching 

Dire ctor of Pubiic Secto r Strategic Accounls j Verizon Terreniark 
222 W Las Colinas Blvd, Irving, Texas, 75039 


Promt Pari^ Todd [maslto:] 

Sent: Saturday, Septembo' 28, 2013 10:38 PM 
To: Fasching, Laura; Chao, Henry (CMS/OIS) 

Subject RE: How serious are you about using Homestead AFBtogetttie equipment to Culpeps’? 


That is super-awesome Laura, thanks so very, very, very muchlMl 


From: Fasdiing, Laura rmaiito| 

Sent Saturday, September 28, 2013 10:36 PM 
To: Chao, Henry (CMS/OIS); Park, Todd 
Cc Fasching, Laura 

Subject: RE: How serious are you about using Homestead AFB to get the equipment to Culpeper? 


Todd & Henry, 


The shipper is picking up the equipment in the next 90 minutes from the Miami data center and we expect the shipment 
to arrive between 9:30 AM to 10:00 AM. © 

So Monday COB is looking good as long as we keep the shippers on schedule, as the build teams will be working at 6 am 
with the equipment that was brought in today. 

Laura 


Laura Fasching 

Director or Public Sector Strategic Accounts | Verizon Terremark 



222 W Las Colinas Bivd, Irving, Texas, 75039 


From: Chao, Hairy (CMS/OIS) r maiito:| 

Sent: Saturday, Septemba- 28, 2013 9:03 PM 
To: Fasching, Laura; Todd Y Park||p[|||||||||[|§ 

Subject: Re: How serious are you about uang Homestead AFB to get the equipment to Culpeper? 


! got the approval from our COO and head of Contracts to go with the 40k Ofrtion. 
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Contracts said we will haveto workout how this cart be a line you can bill in the contract but no problem figuring that 
out later. 


Henry Chao 

Deputy Chief Information Officer and Deputy Director 

Office of Information Services 

Centers for Medicare & Medicaid Services 

7500 Security Blvd 

Baltimore, MD 2.1244 

( (Pti) 

(Alt) 

(BB] 



From; Fasdiing, Lsura rmaitto:| 

Sent Saturday, S^erober 28 , 2013 09:QQ PM 
To: Park, Todd <flH|||||||||H||||^^ Henry (CMS/QIS) 

Cc: Fasching, 

Subject: RE; How serious are you about using Homestead AFB to get the equipment to Culpeper? 


Ok great Henry can I get confirmation that the Government will Pay for the plane? We have to get David Small's 
Approval so we will need to call him as soon as possible. 


Thanks and sorry to rush you all. 


Laura 


Laura Fasching 

Dlreclor of Public Sector Strategic Accounts f Verizon Terremark 
222^^^^Coi^a^lvcj, Irving. Texas. 75039 


From: Park, Todd F mail to:] 

^ent; Saturday, September 28, 20D S:5Q PM 
To: Fasching, Laura; Chao, Henry (CMS/QIS) 

Subject RE; How serious are you about using Homestead AFB to get the equipment to Culpeper? 


FY},th.e private plane option lam pursuing would likely cost about the same as the Fedex expedite cargo plane option 
below, 

Henry, ! think that delivery to the data center mid -day Sunday sounds really, really, really good.... 


From: Fasching, Laura [maiB:o: | 

Sent: Saturday, September 28, 2013 8:46 PM 
To: Park, Todd; Chao, Henry (CMS/OIS) 

Cc Fasching, Laura 

Subject: RE: How serious are you about u^ng Homestead AFB to get the equipment to Culpeper? 
Importance; High 


Ok here is what I was able to do 

! was able to get to FedEx custom Critical they can drive it to us via a truck with pickup tonight @ 11:00 PM (Ish) and 
delivery around 9 PM on Sunday night for $3700.00 
Or 
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To: Chao, Henry (CMS/OIS); Fasching, Laura 

Subject R£: How serious are you about using Homestead AFB to get the equipment to Cufpeper? 

Laura, by when do you need to make a decision about whetherto sendvi'a private ground, private cargo plane, or Air 
Force (if Air Force Is indeed an option?) 

And to confirm private ground would deliver the hardv/are on Tuesday (to be installed Wednesday?), private cargo 
plane would deliver the hardware on Monday (to be.mstalied Tuesday?). With no possibility of acce!era:t1on of those 
timetables? 


From: Chao, Henry (CMS/OIS) f mailto: | 

Sent: Saturday,. Septembo" 28, 2013 7:29 PM 
To: 'laura.faschingHHBfill' '^odd 

Sulqect: Re: How serious are you about using Homestead AFB to get the equipment to Culpeper? 


Todd--rt's in your hands now to make a quick decision. 


Henry Chao 

Deputy Chief information Officer and Deputy Director 

Office of Information Services 

Centers for Medicare & Medicaid Services 


7500 Security Blvd 
Baltimore, MD 21244 

I (Pri) 

(Alt) • 
(BB) 



From: Fasching, Laura rm3ilto:| 

Sent Saturday, September 28, Z)13 07:27 Pt A 
To: Park, Todd Chao, Henry (CMS/OIS) 

Subject; RE: How serious are you about using Homestead AFB to get the equipment, to Culpeper? 


We have been expiorlng that option too but no luck so far 


Laura Fasching 

Dirs ctpr of Public Secto r Strategic Accounts ! Verizon Terremaik 
222 W Las Cotinas Blvd, Irving, Texas, 7SQ39 


From: Park/Todd [rreiitoj 

Sent: Satutxlay, September 28, 2013 7:26 PM 
To: Chao, Henry (CMS/OIS); Fasching, Laura 
Subject: RE: How serious are you about using Homestead AFB to get the equipment to Culpeper? 


Aiso: as another option to explore, in the interest of exploring all options simultaneously, is it possible to arrange for 
heroic chartered private sector ground transportation that could get going super -eariy tomorrow morning a nd get to 
Cuipeper by Sunday evening? 


From: Parig Todd 

Sent: Saturday, September 28, 2013 7:03 PM 
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TOJ 'Chao, Henry CCMS/OIS)'; 'iauraJ^sdiingHHIHH 

Subject: RE: How serious are you about using Homestead AFB to get the equipment to Culpeper? 

WHteam responded instantly, is working on It as we speak and wilt get back to us ASAP. But they unfortunately are not 
optimistic, so we should explore other options in parallel. 

!s there any possibility of arranging for private/oommerdal cargo plane transport? Chartered, even? 


From; Qiao, Henry (CMS/OIS) f maitt 

Sent: Saturday, S eptember 28, 2 013 6:36 PM 
To: '! aura.i^sching 111111111011^ 

Cc: Park, Todd 

Subject: Re: How serious are you about using Homestead AFB to get the egu[pnient to Culp eper? 


just talked to Todd and he is going to talk to the rest of WH that can make this happen so just reply with the contirmeD 
service to Homestead. 

Todd-det us know ASAP SO laura will send via ground if you can't arrange for transport to someplace the Air Force can 
land near Culpeper VA. 


Henry Chao 

Deputy Chief Information Officer and Deputy Director 

Office of information Sen^'ices 

Centers for Medicare &. Medicaid Services 


7500 Security Blvd 
Baltimore, MD 21244 

I (Pri) 

(Alt) 
(BB) 



From: Fasching, Laura f m3itto:| 

Sent Saturday, September 28, 2013 06:09 PM 
To: Chao, Henry (CM S/015) 

Cc: Fasching, Laura 

Subject: RE: How serious are you about using Homestead AFB to get the equipment to Culpeper? 


Henry, 

We are working on firming up the white glove shippers but once that is done we would be good to go. 

if we get th e shippers scheduled and the equipment gets here tomorrow my engineers said they have the resources to 
build it out and just like we said before up by cob Monday. 

I will let you know about the shippers within an hour. 


Laura 


Laura Fasching 

DiraclorofPubii^ec^ Stralegic Accounts j Verizon Tsrremaik 


222 W Las Colinas Blvd, Irving. Texas, 75039 
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From: 

Sent 

To: 

Cc: 

Subject: 


Fasching, Laura < 

Tuesday, October 01, 2013 2:08 AM 

Park, Todd; Chao, Henry {CMS/OIS^ &nall, Dav5d (David); Drumgoote, Christopher R; 
micheiiesnyder|[|||||[mHm|| 

Urn, Peter (CMS/CTR); Sharma, Hemant (CGI Federal) (| 

Oh, Mark U- (CMS/OE); Thurston, Robert (CMS/CTR); Fasching, Laura 
RE; New expansion 


Todd & Henry 

As we have been working with your team to assist YOU in maldrigthe Marketplace launch successful, we continue to 
work to adapt to your needs. 

Right now, 1 understand that while we add more compute, the team needs the VMs built faster. 

in this tasking we are using the best practices that Were agreedtoas to not induce risk into your builds 

• such as utilizing the kickstart process (custom templates of the hardened Images) for RHEL 5 & 6; Windows VMs 
the SQL VMs utilizes a standard im age wdiich requires additional time to harden to NIST standards. 

However we have found that due to the size of this environment 1500 +VMs, we are seeing an impactto running too 
many builds at once. As doing too builds at once slows down the process by ove rwhelming the Virtual Center server. 

The options we have to increase the speed of the VM builds introduce a SfGNIFiCANT RISK t o the environment. We do 
not suggest either of these options, but i wanted to give you a full picture of the situation. 

1. VC Client Basically cloning of existing VMs and while this may seem an easy option 

a. Old network configs and FW rules have to be removed first Then the hew ones need to be done, very 
time consuming and manual 

b. Finally, these VMs will not appear in iCe nter. Without them being visible in ICenter/these VMs will be • 
unmanageable in the future & you will not beable to manage the compute resources. 

2. VM import may gettho VM's in place butthey have the exaasame issues as noted above. 

We have engaged our vendor UR5 to inaease staffing during this time, and will follow up shortly on the results of that 
endeavor, if we can get a couple more people in now it will assist with allowing .^ome team membereto focus orrthe 
builds while other field calls and assist with troubleshooting. 

Just as we did yesterday when we receive arv request for more storage resources than were in eitherthe reserve 
capacity or In the expansion order. We will work to adapt to your needs during as you bring the Affordable Care Act's 
Insurance Exchanges to the American public. 

Thanks 

Laura 


Laura Fasching 

Dire ctor of PtAtiic Secto r Shategic Accounts j Verizon Terremark 
22ZV’i/ Las Colinas Bivd, irving, Texas, 75039 
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DEPARTMENT OF HEALTH & HUMAN SERVICES 


SEP 1 0 2013 


Cepters far Medicare & Medkaid Services 


Administrator 
Washington, DC 20201 


The Honorable Bennie Thompson 
Ranking Member 
Committee on Homeland Security 
U.S. House of Representatives 
Washington, DC 20515 

Dear Representative 'Fhompson: 

Thank you for your inquiry related to privacy and security protections associated with the Data 
Services Hub (Hub) and the status of our work to protect people and programs from cyber- 
attacks in this area. At the Department of Health and Human Services (HHS), we take very 
seriously our responsibility to safeguard personal information in all of our programs, including in 
the Affordable Care Act Marketplace. Collectively, the tools, methods, policies, and procedures 
we have developed provide a safe and sound security framework to safeguard consumer data, 
allowing eligible Americans to confidently and securely enroll in quality affordable health 
coverage starting on October 1, 2013. This framework is consistent with the framework that 
exists for all other HHS programs, such as Medicare, which Americans rely on every day. 

HHS ’ s Centers for Medicare & Medicaid Services (CMS) has a strong track record of preventing 
breaches involving the loss of personally identifiable information from cybrar-attacks. This is 
due in large part to the establishment of an information security program with consistent risk 
management, security controls assessment, and security authorization processes for all enterprise 
systems. Our system and security protocols are grounded in statutes, guidelines and industry 
standards that ensure the security, privacy, and integrity of our systems and the data that flow 
through them. These protections include a series of statutes and amendments to these laws, such 
as the Privacy Act of 1974, the Computer Security Act of 1987 and the Federal Information 
Security, Management Act (FISMA) of 2002, as well as various regulations and policies 
promulgated by liHS, the Office of Management and Budget, the Department of Homeland 
Security, and the National Instiaite of Standards and Technology (NIST). 

In accordance with these provisions, CMS has developed the Hub, a routing tool that helps 
Marketplaces provide accurate and timely eligibility determinations. It is important to point 
out that the Hub will not retain or store Personally Identifiable Information. Rather, the 
Hub is a routing system that CMS is using to verify data against information contained in already 
existing, secure and trusted federal and state databases. CMS will have security and privacy 
agreements with all federal agencies and states with which we are validating data. These include 
the Social Security Administration, the Internal Revenue Service, the Department of Homeland 
Security, the Department of Veterans Affairs, Medicare, TRICARE, the Peace Corps and the 
Office of Personnel Management. 

'The Hub is designed to comply with the comprehensive information security standards 
developed by NIST in support of FISMA. NIST has emerged as the gold standard 
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Page 2 - The Honorable Bennie Thompson 


for information security standards and guidelines that all federal agencies follow. Several layers 
of protection will be in place to help protect against potential damage from attackers and mitigate 
risks- For example, the Hub will employ a coittmuous monitoring model that will utilize sensors 
and active event monitoring to quickly ideaitify and take action against irregular behavior and 
unauthorized system changes that could ialicate potential attacks. Automated methods will 
ensure that system administrators have access to only the parts of tlie system that are necessary to 
perform their jobs. These protocols, combined with continuous monitoring, will alert system 
security personnel when any system administrator attempts to perform functions or access data 
for which they are not authorized or are inconsistent with their Job functions. 

Should security incidents occur, an Incident Response capability built on the model developed by 
NIST would be activated. The Incident Response function allows for the tracking, investigation, 
and reporting of incidents so that HHS may quickly identify security incidents and ensure that 
the relevant law enforcement authorities, such as the HHS Office of Inspector General Cyber 
Crimes Unit, are notified for purposes of possible criminal investigation. 


Before Marketplace systems are allowed to opwate and begin serving consumers across the 
country, they must comply with the rigorous standards that we apply to all federal operational 
systems and CMS’s Chief hiformation Officer must authorize the systems to begin operation. I 
am pleased to report that the Hub completed its independent Security Controls Assessment on 
August' 23, 2013 and was authorized to operate on September 6, 2013. The completion of tliis 
testing confirms that the Hub comports with the stringent standards discussed above and that 
HHS has implemented the appropriate procedures and safeguards necessary for the Hub to 
operate securely on October 1. 

The privacy and security of consumer data arc a top priority for HHS and our federal, state, and 
private partners. We understand that our responsibility to safeguard our systems is an ongoing 
process, and that we must remain vigilant throughout their operations to anticipate and protect 
against evolving data security threats. Accordingly, we have implemented privacy and security 
measures for the Marketplace systems that employ measures similar to those in the private sector 
and we will continually validate through a variety of methods. 

In closing, we have produced an extremely strong enterprise information security program by 
implementing -state-of-the' art controls and business processes based on statutory requirements, 
agency and organizational commitments, best practices, and the experience and knowledge of 
our subject matter team members. This has resulted in the development, testing and readiness of 
the Hub to operate on October 1 to serve consumers across the country in a secure and efficient 
manner. We hope this information is responsive to your inquiry. Thank you for your interest in 
and leadership on this important issue. 


Sincerely, 




Marilyn T avenner 
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From; 

Sont 

To: 

Cc: 


Subject 


Russefl.DeLalne < 

Wednesday, September H, 2013 11:10 AM 
TrenWe, Tony (CMSA31S) 

Park; Todd; Cook, Brian T. ^MS/DQ; Aronson, Lauren (CM5/OL); Snyder, Michelle 
(CMS/OA^ Saitman, Frank piS/ASA^OGO); Fryer, Teresa M. (CMS/OISj; Mellor, Midiael 
(CMS/015) 

RE; Gartner 


Tony, 

Tbank you for sending the fetter. ! have identified Gartner analyst Christian Bymes, who will review and provide 
comment Christian is a managing vice president at Gartner. Ffis team is distributed across the globe and covers the 
management of risk-related programs such as Information Security, Business Continuity, Privacy and Compliance. In 
addition, he confers with leading organizations worldwide on technobgy direction, security trends and best practices. 
I will provide his response as soon as possible. 

DeLaine 


DeLaine Russell | Vice President - Public Sector j Gartner, Inc j 4501 N. Fairrax Dr. j Arlington, VA 22203 

'iHHiiHHI ) ^ Emaihi 

www.gartner.cofn 


U.S.A. 1 


P Please consider our environment before printing 


— Original Message — 

From: Trenkle, Tony (CMS/OIS) f maiito| 

Sent: Wednesday, September 11, 2013 li:M AM 
To; Russell, DeLaine 

Cc: Park, Todd; Cook, Brl an T. (CMS/OC); Aronson, Lauren (CMS/OL); Snyder, Michelle (CM5/0A); Bartman, Frank 
(OS/ASA/OCiO); Trenkle, Tony (CMS/OiS); Fryer, Teresa M. (CMS/OIS); Meilor, Michael (CMS/OIS) 

Subject: FW: Gartner ’ 


HI DeLaine, 


Per our conversation here Is the letter tha t went to the Committee. Please let us know what your analysts' thoughts are. 
Thanks. 


Tony 


> — -Original Message — 

>From: Aronson, Lauren (CMS/OLj 

>Sent Wednesday, September 11, 2013 9:12 AM 

>To: Park, Todd; Trenkle, Tony (CMS/015) 

>QJ! Cook, Brian T. (CM5/OC);,&^VdPf, Michelle (CMS/OA) 
>Sub]ect RE: Gartner 
> 

>Here's the final signed letter. 


1 


cmp ACA OOQ7837 



176 


From: Trenkle, Tony (CMS/OIS) r mailto.' l 
Sent; Thursday, September 12, 2013 08:49 AM 
To: Park, Todd 

< 1 

Subject: BN: Comment from Gartner Analyst Qiristian Byrnes 


Todd, 

Does this help? 
Tony 


Fr«n: Russell, DeLaine rmailtoj 
Sent Weckiesday, September 11, 2013 12:04 PM 
To: Trenkle, Tony (CMS/OE) 

Cc Heiliger,ChiTstopher 

Suited: Comment from Gartner Analyst Christian Byrnes 


Tony, 

Below is what 1 just received from the analyst I hope this is what you are looking for. Chris is our most 

knowledgeable and experienced information security analyst 

Best, 

DeLaine 


Gartner Inc advises thousands of enterprise and government clients on best practices associated with 
the use of information technology. As a leader of the information security practice within Gartner 
Research I certify that the statements made in this letter represent current best practices for the 
protection of sensitive and regulated data and systems. 

F. Christian Byrnes 

Managing Vice President, Risk and Security Program Management 
Gartner Inc. 



Vica President 


OsLsine Russsel! 

VA 22 203 i U,S.A 
9m ! Email: 

Please consider our environment before printing 


Public S ector j Gartner, Inc. 
www.gartner com 



4501 N. Fairfax Dr. i Arlin.i}*on, 
K'c-bile; -rl [IHiHi 
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From: 

Sent 

To: 

Cc; 

Subject 


Aronson, Lauren (CMVOtj < 

Thursday, September!^ 2013 10tl4 AM 
Parl^ Todd; TrenHe, Tony (34S/OB) 

Baitman, Frank (OS/ASA/OOD^ Fiyffl-,Teres3 M. (CMS/OIS); Meiior, Michael (CMS/OIS); 
Cook, Brian T. {CMS/OQ 

RE: Comment from Gartnw Analyst Christian Byrnes 


Yup. We have Gary Cohen testifying before Energy fi Commercenext week so we could potentially use this. 


From: Parli, Todd fmaiftoj 

Sent TTiur^ay, S^tember 12, 2013 10:13 AM 
To: Trenkle, Tony (CMS/OIS) 

Cc Baitman, Frank (OS/ASA/COO); Fryer, Teresa M. (CMS/OIS); Mellor, Michael (CMS/OIS); Cook, Brian T. (CMS/OC); 
Aronson, Lauren (OJS/OL) 

Subject: Re; Commit from Gartner Analyst Christian Byrnes 


Tony, i think this is super-helpful ~ Brian and Lauren, perhaps this is something you can hold in reserve in case you need 
it? 


From; Trenkie, Tony (CMS/OIS) fmaitto: 

Sent: Thursday, September 12, 2013" 08:49 AM 
To: Park, Todd 

Cc: Baitman, Frank (OS/ASA/COO) <| 

Mellor, Michad (CMS/OIS) <|_ 
5ubj»:t: FW: Comment from Gartner Analyst Christian B^es 



Todd, 

Does this help? 


Tony 


Rus^S,DeLaine f mailtc 

Sent: Wedne^ay, September 11, 2013 12:04 PM 
To; TrenWe, Tony (CMS/OIS) 

Cto HelIiger,Christopher 

Subject: Comment from Gartner Analyst Christian Byrnes 



Tony, 

Below Is what I just received from the analyst. 1 hope this is what you are looking for. Chris is our most knowledgeable 
and experienced information securlly analyst. 

Best, 

Delaine 


Gartner Inc advises thousands of enterprise and government clients on best practices associated with the use of 
information technotegy. As a leada- of the information sec urity practice writhin Gartner Research 1 certify that the 
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From: 

Sent 

To: 

Subject 


Snyder, Mkhelfe (CMS/OA) <|HH 
Thursday, October 10, 2013 5:03 PM 
Park, Todd 
FW; Item 


A.MichelIe Snyder 
Chief Operating Officer 
DHHS/CMS/OA 



From: Trenide, Tony (CMS/OIS) 

Sent: Thursday, October 10, 2013 4:54 PM 

To: Snyder, Micheile (CMS/OA); Tavenner, Marilyn (CMS/OA); Kerr, James T. (CMS/CMHPO) 

Subject: RE: Item 

Here's the answer below, maybe more detail than you want. 

From: Schankweller, Thomas W. (CMS/015) 

Sent: Thursday, October 10, 2013 2:08 PM 
To; Fryer, Teresa M. (CMS/OIS) 

Cc: Ashbaugh, Jason L. (CMS/OIS); Linares, George E, (CMS/OIS); Outerbridge, Monique (CMS/OIS); Oh, Mark U. 
(CMS/OIS); Chao, Henry (CMS/OIS); Warren, Kevin (CMS/OIS) 

Subject: RE; Admin passwords and insecurity in healthcare.gov 

Hello all. 

Here is the feedback regard ingthis inquiry. 

Statement: 

CMS (CUSG) acknowledges the feedback bv the security community. Analysis of the code and a review of the 
operational environment has confirmed that the site is secure and operating with low risk to consumers. 


The code that has been reposted to Pastebin and commented on byTrustedSeefe in tended to be available to the public 
code as it makes the user interface {U!} of the site function. By design, these '‘resource bundles" contain all of the non - 
personalized text the user will see throughout the site. There is no admin level ID's or passwords located within the java 
script posted on-line. The code base at CGI has also just been queried for strings such as “admin password" and 
“abci 23gov’’ per the twitter screenshot. No evidence was located that there is admin credential revealed. The person 
who retweeted with the abc password Is just being humorous. 

The XOC Security team and the SCA test team does run all of the tools mentioned in the article. A lot of commented 
code was removed prior to production, and the need to perform JS comment -removal/minification/obfuscation is a 
roadmap item, in fact it is scheduled for release to the Tesl2 environment tonight. Performing minification requires a lot of 
testing to ensure the application is not broken during YU! compression. . As java scripts can be improved they will be 
release with subsequent buHds. 

To the other points in the article The marketplace does not use PHP so that is a non -issue. The use of Captcha was 
considered at one lime, but removed to ensure 508-Compliance and to more importantly to remove burden on a 
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consumer as A Good Consamer Expen'ence was a design considerafon. Also the concept of guessing !D’s to see if there 
is a valid one or not is a known risk. We can footc Into taking steps at Jackin g down access controls further, but it would 
negatively effect the user-experience. 


Regards, 

Tom Schankweiler, CiSSP 
information Security Officer, CCiiO 
CM5\OiS\aiSG 

Coraumer Information and Insurance Systems Group 
(Bait. Office, N2-13-22) 

(Mobile) 



From: Snyder, Micheiie (CMS/OA) 

Sent: Ttiursday, October 10, 2013 4:41 PM 
To: Trenkle, Tony (CMS/OIS) 

Subject: Fw; Item 

Could you take a look? 

Sent from my BiackBerry Wireless Device 


From: Tavenner, Marilyn (CMS/OA) 

Sent: Thursday, October 10, 2013 04:10 PM 

To: Snyder, Micheiie (CMS/OA); Kerr, James T. (CMS/CMHPO) 

Subject; FW: Item 

Wa nted you to have this in case you want to have tony reach out to them 


From: Park, Todd fmaittoj 
Sent: Thursday, October 10, 2013 2:11 PM 
To: Tavenner, Mariiyn (CMS/OA) 

Subject: Item 


Marilyn, this got sent to me by someone who says these guys are on the level. I would suggest that the 
Marketplace IT security folks check it out (and potentially reach out to these guys as well) 


https://www.trusted5ec.com/october 2Q13/afford3ble health care website secure probably/ 
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hihe Affordable Health Care Website Secure? Probably not.' 


Page I of 5 


Contact Us; 1.877.550.4728 | info@trustedseccom 



f ^ ^ V in S 


Home Services Downloads Blog About Us Contact Us Q, 


Is the Affordable Health Care Website Home / October.lOli / is the Affordable Heaim care website secure? 

Secure? Probably not. probabiyoot 


< Previous Next > 


Is the Affordable Health Care Website Secure? Probably not 


With the Affordable Health Care Act moving into full momentum - there are a lot of privacy and security concerns 
for any new major government program being implemented. It’s no secret that the website, the infrastructure, and 
the staffing has been a challenge to get up in running in the appropriate timeframes. Coming purely from the 
security industry and seeing corporations, deadlines, and tight timeframes snag security objectives - there should be 
major concern on the implications this system has on what will become the largest database of Americans in 
recorded history. 

The Affordable Health Care Act websites cost an estimated 654 million to develop. 

http://www.digitaltrends.com/opinion/obamacare-healthcare-gov-website-cost/. One would hope that there would 
be heavy security integration into the software development lifecycle and best practices followed in the most 
extreme circumstances. As you can imagine, the site is going to be a major target for hackers, other governments, 
and organized crime. There’s a lot of money to be made right now in an untapped market that is fresh for the picking. 

We decided to look around - please note that there was nothing malicious, no hacking, and nothing intrusive 
involved in this test in any regard. We simply browsed the website as a normal visitor without any type of attacks at 
all Just by looking at information, you can determine the quality of the code, and whether simple best practices in 
security are being followed. 


httms-//wwwtniRtfvlqec cnrn/october 2013/affordable-h,eaith-care-website-secure-probably/ 11/18/2014 
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Is the Affordable Health Care Website Secure? Probably not. 


Page 2 of 5 


Below is in the “Log in” page and the “Forgot password” link. Note when you enter a username that is invalid, it 
returns quickly that the username is invalid. 


iithCare.gov 


New to Healthcare. gov? 


CREATE ACCOUNT 


Forgot password 


^ yeurintomahonconiains terror 


i • U5«tt>?in5. 


Please give ihelol lowing ii>!QBna(toft ant! weH send you in emafl wi^ instnidions. 
Whpt is your ItarVetplace usernaine? 



O hoporom; Thu vsernsmt 


CANCEL 


Note when you place a valid user; 


lnip»;/ywi¥w,hMlihca«!.gov/riiftrk4tplsc*!,'glt)baf/on.iS!rerrisirasionMefg«iPas»v/wd 

ilthCare.gov 


Learn 


Get Insurance 




Forgot password 

Plejisc give « tro {eiiwrnfl intormaSen and well send you an email Ihstocdons, 

VVhat is yotu M3i«Dlpli>ce usenume? 


janadoj 


CANCEL 


As you can see, you can enumerate valid and invalid user accounts in the database. Even worse is there are no form 
or appearance of automation deterrents such as CAPTCHA or image verifications that a human is attempting this. We 
can easily teed this through Burp Intruder for the content length from the response to see which usernames were 


https://www.trustedsec.com/october_20I3/affordabIe-health-caTe-website-secure-probably/ 11/18/2014 
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Is the Affordable Healtli Care Website Secure? Probably not Page 3 of 5 

actually valid. Essentially you could enumerate the entire database of user accounts in the new healthcare.gov 
website through brute forcing the response codes and finding valid usernames. 

Additionally, developer comment code is plastered everywhere which gives an attacker a significant amount of' 
understanding about the application - these are literally everywhere on almost every page that’s opened and all 
third party files: 

//global variable used for SHOP upload functionality 

var myView = null; 

var agentBrokerSAMLToken=nuU: 

var postCCRApplicantlDToken=nuU; 

var po5tCCRApplDToken=nuU; 

var postCCRState=null; 

var agentEmailUUiD =null; 

Even crazier, doing some Google reconnaissance, we found an indexed site that a subsite used CKEditor - NOTE we 
did NOT attempt to even follow the link to verify if it’s there. 

^ C )i{4)v:/'/ww\v.google.com.'^'q«:sUc;healthtarc.cjOv-i-fi]civpc?i3Aphp 
Go glc sile:hea!thcare.govr}!elype:pbp 

Web (<TT:!gea Mops Sh.op?Mny \V3re Search ?ods 



finder.heaithcare.qov/cms/sitBs/ail/fnoduies/ckedil... 

A doscriptiori ior Ihis resell is nol available because of Ihis site's robols.txl - learn triOra, 


CKEditor has a number of known exposures here; Search results for CKEditor on Exploit-DB 

We’ve also identified some significant ones that we can't post online due to the critical nature of them and 
attempting to contact the development team for the website to remediate. Our intent is not to point out flaws, show 
flaws, or demonstrate insecurities, only to bring the light that based on viewing like a normal user, there appears to 
be things that would indicate that there should be major reason for concern here. 

Again - nothing malicious performed here and we truly have no idea what the real exposures are without 
performing a full test on this, which we would have hoped would have been performed prior to any major production 
release. 

Bydavek ! October 9th, 2015 1 0ctobsr_2013 | Comments Off 
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Message 

From; Park, Todd 

Sent; 6/26/2013 

To: Snyder, Michelle (CMS/OA) f/0=HHS EES/OU=Firet Administrative Group/ai=Recipients/cn=Mlchei!e.Snyder,CMS}; 

Chao, Henry (CMS/OIS) |yo=HHS EES/OU=First Adminisfi^tive Group/cn=Recipients/cn=HenrY.Chao.OS] 

Subject; RE; Draft writeup 

is it possible to get any edits/corrections/additionaf detail by COB Thursday? 

Would love to loop back with Jeanne and Mark on Friday before I head out for (an attempted) vacation from July 1 to 
July 5. ! gave Jeanne a heads up today to telegraph what's coming. 

I think that the key will be to give Jeanne and Mark a bulletproof set of talking points they can use to push back in their 
conversations with the Blues and have the Blues truly understand why the logo play is a bad idea right now. (! don't 
think the Blues really understand that yet). 



2:03:17 AM 


From; Snyder, Michelle (CMS/OA) I 
Sent: Tuesday, June 25, 2013 5:4^ 
To; Park, Todd; Chao, Henry (CMS/OIS) 
Subject; RE; Draft writeup 


Looks good... 


A. Michelle Snyder 

Deputy Chief Operating Officer 

DHH-S/CMS 



Park, Todd^^^^HHjHllllllllim^^HIP 

Sent; Tuesday, 

To; Chao, Henry (CMS/OIS); Snyder, Michelle (CMS/OA) 

Subject: Draft writeup 

Please keep close hold - loop In folks who can help with the details, but don't circulate broadly yet, if you don't 
mind. Let me know if this sounds right - any corrections/edits/additions/deletions welcome; 

Attempting to integrate logos into the FFM for October 1 is not advisable. This is not because the act of integrating a 
logo is by itself a difficult thing to do. it's because the process for collecting health plan and product data from carriers 
via templates, loading these data into the HIOS system, validating the data, transferring the data from Hi05 into the FFM 
QHP database, and having the rating engine retrieve and render that data in the FFM has been locked down, and is 
being utilized to support plan data collection/validation and system testing as we speak. Changing the underlying plan 
data template and processing routine right now - by adding a new plan data element, the logo - during the crunch-time 
sprint weTe in from now to October 1, would introduce significant risk. Think of it as trying to change a gear in an 
airplane engine in mid-flight. Or adding a new field to an IRS tax form In the middle of tiling season. As an isolated art, 
adding the field isn't hard. What's hard is the notion of adding it to the tax form via a system modification when that 


HHS-0106973 



184 


system is going through an intense time, with a lot of moving parts involved, and where a wrong move could actuaiiy 
screw the whole system up. 

An alternative to changing the core plan data submission/management process and syslems'|i.e., modifying the carrier 
plan data templates, HiOS,the QHP database, and rating enpne logic) would be to setup a database of logos outside 
this core data management process and have the FFM system, when rendering a given insurance product, pull from 
both the QHP database plus the logo database. This is a terrible idea technically, would be prone to error, and still 
creates the issue of mucking with the Jet engine while it's in flight. 

The right way to add logos to the FFM would be to modify the core plan data submission/management process and 
systems to include logos as part of the carrier plan/product template and be able to process logos all the way 
through. This is not doable for Oct 1 without introducing significant operational risk to the go-live, as discussed 
above. We suggest considering it as part of a future release, post Ortober 1 - understanding that it will have to 
compete with a lot of priorities. The reasonable thing to do would be to target making this modification in time for the 
next cycle of plan bids, in 2014. 
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From: 

Sent 

To: 

Cc: 

Subject 

Attachments: 


Chao, Henry (CMS/OIS) <| 

Monday, July 22, 20B 10:45 PM 

Park, Todd; Tavenner, Marilyn (CMS/OA); Khalid, Aryana C (CMS/OA); Snyder, Micheiie 


(CMS/OA) 

Kerr, James T. {CMS/CMHPO}; Bowen, Marianne (CMS/OA); Trenkle, Tony (CMS/OIS) 
RE: BCBSA meeting chatting tonight 

Ch rono bgica! account of testing tasks and current status of Issuer testing 
7-22-2013.dooc 


Importance: 


High 


Please see attached paper that describes where we are currently with testing with issuers and provides a chronology of 
tasks and attempts to address the issues (most which are not correct or inaccurate) Captured by M. Siegler in a meeting 1 
presume with the BCBSA 

Dan Miller on my staff led the gathering of the facts for this paper and Dan has been what 1 call the "IT Ombudsman" for 
CMS and issuer testing coordination. Dan, myself, and the rest of my staff are willing to do whatever it takes to get the 
Issuers through testing and hope they will work as a community to elevate them selves to an improved operational 
readinss posture rather than spend time pointing to last month's challenges that have been overtaken by even ts. Their 
collective energies from Association coordination to marketing to Segal to IT to operations should be singularly focused 
on doing what It takes to get to October 1 

Thanks and please let me know If you need me to walk you through the descriptions. 


Henry Chao 

Deputy CIO & Deputy Director, 

Office of Information Services 
Centers for Medicare & Medicaid Services 



From; Park, Todd 

Sent; Monday, July 22, 2013 7:33 PM 
To; Chao, Henry (CMS/OIS); Tavenner, Manlyn (CMS/OA); KhaHd, Aryana C. (CMS/OA); Snyder, Michelle (CMS/OA) 
Subject; RE: BCBSA meeting; chatting tonight 


Thanb so much, Henry and {echoing Marilyn), take the time you need, and get it to us whenever you can 
tonight.... Thanks so much again, 

Todd 


From: Qiao, Henry (CMS/OIS) I mailtoj 
Sent: Monday, July 22, 2013 7:23 PM 
To: Park, Todd; Tavenner, Maril>m (CMS/OA); Khatid, Aryana C (CMS/OA); Snyder, Michelle (CMS/OA) 
Subject: Re: BCBSA meeting; diatting tonight 

We’fl address in the write-up coming around 9pm. 

Henry Chao 
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Depifty Chief Information Officer a nd Deputy Director 
Office of Information Services ■ 

Centers for Medicare & Medicaid Services 


7500 Security Blvd 
Baltimore, MD 21244 

I {Pro 

(Ait) 
(BB) 



From: Park, Todd fmanto| 

Sent' Monday, July 22, 2013 07:16 PM 
To: Tavenner, Marilyn (CWS/OA); Khalid, Aryana C (CMS/OA); Snyder, Michelle (CMS/OA); Chao, Henry (CMS/OIS) 
Subject: RE: BCBSA mating; chatting tonight 


Hi Henry, just spoke with Marilyn if your writeup tonight could address each point In the Siegier email (inciuding the 
point about subsidy eligibility and. back -end app processing being fiilly on paper), that would be terrific. For 
convenience, have repasted theSieglertext below © Thanks so very much again for doing this! 

Siegier email; 'The specifics i wrote d own from the meeting are as follows. BCBS claimed; there was a 90% failure rate 
on the initial "handshake" tests with issuers andtheFFM; as of Friday BCBS had not been able to establish "fui 1 
connectivity" with the FFM; HHS had scheduled testing of enrollment file transfers to begin on July 15 but that was 
delayed one week and is set to begin today; BCBS presented HHS with 23 eRgibllity scenarios (eg; family coverage no 
subsidy, single coverage with subsidy, etc) It wanted to test with their plan data on the FFM system but that testing has 
been limited to 6 scenarios and has not yet begun; there are no plans to test the FFM SHOP maricetplaces before Oct 1; 
they expect subsidy eligibility and hack-end application processing to be fully on paper even if an applicant fills out the 
online applicatiar^. They said this could potentially result in 30 *90 day delays between when an applicant fills out an 
application and when a plan is actually able to en roll the applicant in coverage with a subsidy reduced premium " 


From: Tavenner, Marilyn (CMS/OA) f mailtoj 
Sent: Monday, July 22, 2013 S:S9 PM 

To: Park, Todd; Khalid, Aryana C. (CMS/OA); Snyder, Michelle (CMS/OA); Chao, Henry (CMS/OIS) 
Sutqecb Re; BCBSA meeting; chatting tonight 


Todd please call me if you want to talk. | 


From; Park; Todd fmailtol 

Sent: Monday, July 22, 2013 06:57 PM 
To: Tavenner, Marilyn <CM5/OA); Khalid, Aryana C (CMS/OA); Snyder, Michelle (CMS/OA); Chao, Henry (CMS/OIS) 
Subject: RE: BCBSA meeting; chatting tonight 


Apologies for the quick foi low-on email would very much love to chattonight for a few minutes; will make myself 
available any time; just name the time; thanks so much! 


Todd 


From: Park, Todd 

Sent: Monday, July 22, 2013 6:51 P M 

To: rnarilvn.tavenriej ^B[J[[|||^ Khalid, Aryana C (CMS/OA); mkheiie.snvderl 
henrv.chao jjjjjjjjjj 
Subject: FW: BCBSA meeting' 
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Hi Marilyn, Aryans, Michelle, and Henry, hope you had a terrific weekend! f think you've already seen the email below, 
and you may already be writing up your thoughts on it., in whateverwayis most time-effidentfor you (hdudlng 
jumping on the phone for a few minutes tonight, ifthat is easiest), was hoping to get your tho ughts to be propped for 
the ACA outreach meeting tomorrow morning at 11 {if this comes up as a topic of discussion) 


What might work best for yo u? Thanks so much, 
Todd 


From; Siegler, Matthew [ marlto:| 

Sent Monday, July 22, 2013 05:03 PM 
To: Lam brew, Jeanne; Hash, Mic hael (HHS/OHR) <j 
' “ ■ Primus, Wendell ^ 

gig|< David Schwart 
'■>} Egorin, Meianle <j 


; Nelson, Karen 




Aronson, Lauren (CMS/OL) 
Milter, Erin 


Sutqect: BCBSA meeting 


Hi All, 

Sorry for the memory lapse, but the paper BCBS left with us didrtotgo into specifics on the testin&^readlness 
issues. They said they would send us that Information. I've just pinged them about it and will share as soon as we have. 

The specifics I wrote down from the meeting are asfdiows. BCBS claimed: there was a 90% failure rate on the initial 
"handshake" tests with Issuers and the FFM; as of Friday BCBS had not been able to establish "lull connectivity" the 
FFM] HH5 had scheduled test ing of enrollment file transfers to begin on July 15 but that was delayed one week and is set 
to begin today; BCBS presented HHS with 23 eligibility scenarios (eg: family coverage no subsidy, single coverage with 
subsidy, etc) it wanted to test with their plan data on the FFM system but that testing has been limited to 6 scenarios 
and has not yet begun; there are no plans to test the FFM SHOP marketplaces before Oct 1; they expert subsidy 
eligibility and back-end application procesang to be fully on paper even if an applicant fills out the online application. 
They said this could potentially result in 30-90 day delays between whenanapplicantfillsout anappilcationand whena 
plan is actually able to enroll the applicant in coverage with a subsidy reduce d premium. 


Thanks, 


Matt 




Matthew Siegler 
Counsel 

Committee on Energy and Commerce 
Subcommittee on Health 
E>emocratic Staff 
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Per our discussion and forwarded email from M. Siegler, here are key facts about the current state of engaging the 
Issuers testing the enrollment functions of the FFM and Data Services Hub. My team and ! believe that the first few 
bullets should illustrate the chronology of testing events/tasks since the end of May when the Trade Associations 
welcomed our revised accelerated testing approach. The last few bullet points attempts to objectively address the key 
issues raised by the BCBSA. 

• Acceleration of Issuer Testing Engagement Since End of May : At the end of May, CMS announced to the issuer 
community a greatly accelerated FFM & Data Service Hub testing schedule, in which the key activities of issuer 
onboarding, connectivity testing with the Data S er\rices Hub, issuer-initiated Direct Enrollment and FFM -initiated 
Enrollment transaction testing (834), and Plan Preview testing would launch with a series of thrice -weekly 
technical webinars in June and July, rather than waitingfor those activities to oc cur in mid-to-tate Augustas had 
been previously communicated. The Trades expressed their gratitude at the acceleration; AHIP called Aryana 
Khaiid on May 21’' after Henry announced the acceleration on May 17 to thank CMS and to say they knew 
what a heavy lift it was to move testing up. 

• Thrice-Weekly Issuer Technical Webinars : Since May 30*'’, CMS has held 20 webinars and interactive Q&A 
sessions to engage issuers in the onboarding and issuer enrollment integration testing process, including the 
creation of the "CMS-lssuer Testing Technical Work Group” and "CMS -issuer ED! Technical Work Group" 
webinars regularly attended by 200-300 participants per session, and each including Q&A between issuers and 
CMS's technical subject matter experts. 

• CfVISzONE and CMS Technical Document Dissemination to Issuers : Since May 30* CMS has posted 58 technical 
guidance documents on CMSzONE, a secure, online repository for the issuer testing community, including the 
Issuer Onboarding Guide & Testing Handbook, Direct Enrollment Test Data documentation and EDI Test Files, 
onboarding instructions, Issuer testing frequently asked questions (FAQ's) and all documentsshared during the 
technical webinars. 

• Issuer Onboarding & Testing Steps : In order for an issuer to conduct end -to-end testing they must a ccomplish 
three key activities; 

1. Complete an onboarding form that identifies how their respective system will conn ect with the Data 
Services Hub 

2. Complete configuration of electric file transfer (EFT) in the pushing or pulling of enrollment transaction 
files (EDI 834 transactions for example) 

3. Complete Web connectivity testing for those issuers participating in Direct Enrollment 

Of those three key .activities, the following bullet points indicate where we currently stand and hopefully clarifies some 
of the issues that in some cases are non -issues: 

• Issuer Onboardine Status : 143 issuers have submitted onboarding forms to date; however, of the issuers who 
have submitted QHP's directly in the HIOS system for the 19 FFM States, as of the end of 1 ast week, CMS is still 
waiting to hear from more than 60 issuers organizations who have not yet submitted a form at all the first step 
in the onboarding process that CMS launched in mid -June. 

• Most Issuers were not ready as of 7/15 : Based on our close monitoring of progress by Issuers, CMS made an 
announcement during the week before leading up to 7/15 start of testing, because of low percentage of issuers 
that have been able to complete connectivity testing (less than 10 Issuers out of 75 Issuers having comp leted 
connectivity testing before 7/15), CMS decided to extend the Connectivity testing until 7/19 and provide 
additional/focused technical assistance during the week of 7/15, From that effort, we've more than doubted the 
number of Issuers that are now rea dy for Integrated testing with FFM. 

• Issuer EFT Connectivity Status : Of the 143 issuers who have submitted onboarding forms, 63 issuers have , 
completed EFT configuration for the outbound and Inbound receipt of 834 files; CMS is waiting on some 
information from 35 issuers in order to complete this step (and an additional 9 issuers who were just added via 
the onboarding process). When initially establishing connectivity with the issuers in early July, technical 
configuration issues were discovered on both the CMS and the issuer sides. In order to optimize the remaining 
testing time, and to avoid the time involved in individual configuration and troubleshooting, on July 18 CMS 
began switching many issuers from a "push" to a simpler "pull” model in order to com plete connectivity. 
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Issuer Web Services (Direct Enrollment) ConnecUwtv Status : Of the 75 issuers participating in Direct 
Enroilment, CMS is still waiting on 38 issuers who have not yet responded in supplying the required information 
to start the Web Services test. Of the remaining 37 issuers, all have been set up by CMS, and of those, 24 issuers 
have passed the Web Services connectivity testing. 

SHOP Testing : CMS has focused issuer testing first and foremost on individual Direct Enrollment and Enrollmen t 
834 Transaction (834 is the HiPAA Standard Transaction for Health Plan Enroilment } testing as it relates to the 
individual marketplace, as this covers the broadest and most complex functionality in advance of October 1 
CMS has placed SHOP testing (as well as other aspects such as Lead Generation Testing) as a secondary priority 
once the former is underway. CMS does anticipate testing SHOP with the issuers in advance of October, and 
plans to hold a SHOP testing-specific webinar in order to launch SHOP v ariation of testing in mid-August. The 
SHOP testing will in essence be a simpler version of incfividual marketplace testing, as it does not entail the 
complications associated with eligibility, verifications, APTC or CSR calculations. 

Scenarios : CMS is making more than 23 direct enrollment scenarios part of the Direct Enrollment integration 
testing, including all of the scenarios that BCBSC had proposed. For 834 scenarios, CMS limited the overall scope 
to ensure that all issuers would be able to accomplish the required functionality during testing. Once all issuers 
are able to complete issuer enrollment integration testing, CMS plans to expand the number scenarios. 
Enrollment File Transfers Testing : After initial plans to begin testing of enroilment file tr ansfers on July .15^, 
CMS began sending out the first 834 enrollment files to issuers on Friday, July 19 and has continued testing 
with the "Wave 1" issuers during the week of July 22 

Testing Dependency on State DPI Transfer of QHP's in Partnership S tates : There are dependencies upon State 
DOI's to proceed in testing for those issuers in Partnership (SPM's) states and State Based Marketplaces (SBM's), 
because issuers can only test against those QHP's once they are transferred by the State DOI from NAl C's SERFF 
system to CMS's FFM system. The State DOI's have until July 31 ^ to transfer the QHP's; until the QHP's for any 
given Partnership or NAIC State are transferred, only issuers with QHP's in one of the 19 FFM HIOS States will be 
able to participate in enroilment/834 testing with their QHP data. 

Application Oniine Process! ng : BCBSA mentions there are back end delays that could be 30 -90 days but they 
must have something mistaken or the thought was incorrectly captured because a pplicants that fiil out the 
online application are not required to have the paper application fille d out; their enrollments can be processed 
in a very short timeframe (e.g. 20-40 minutes.) 
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From: 

Lambrew, Jeanne 

Sent 

Tuesday, July 23, 2013 9:38 AM 

To: 

Tavenner, Marian (CMS/O^; ftcrio Todd 

Cc: 

Khalid, Aryana C (CMS/OA); Hash, Michael (HHS/OHR) 

Subject: 

RE: Issuers 


What do we do about the 25 Hiii staffers who heard this Information yesterday/ many more who may still continue to 
be hearingthis from the Blues through briefings? 


From; Tavenner, Marilyn (CMS/OA) r mailto| 

Sent; Tuesday, July 23, 2013 9:34 AM 

To: Lantirew,. Jeanne; Park, Todd 

Ccr. Khalid, Aryana C. (CMS/OA); Hash, Michael (HHS/OHR) 

Subject: Issuers 


We have heard again from AHiP thatthe %sues" are with the Biues..w.^nd f am going to have both the Blues and AHIP 
intcmiorrow with Henry etal and see if I can figure it out and make dear how we move forward. I would appredate 
being able to do iiiatf1rst......and would ask for your support. Thanks Marilyn 
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From: Park, Todd 

Sent Tuesday, July 23^ 2013 9:40 AM 

To: Tavenner, Marilyn (CMS/OAJ- Lambrew, Jeanne; Khalid, Aryana C. (CM5/OA) 

Cc: Cavanaugh, Afida A. (CMS/OA); Mfller, Ruth A, (CMS/OA) 

Subject: RE: Touch base on Issuers 


Just finished talking With Henry and team. Have additional content darification, and also a clear sense of what we need 
to tell BCB5A in terms of how we all need to work together constructively going forward — Marilyn^ i think this would be 
useful Info for you going Into your meetings-tomorrowwith BCBSAand AHIP. ! havetogivebrief remarks at an event at 
10 am (for which I need to prepare now), but can talk at 10:30 am, or anytime between 12 and 3. Thoughts? 

— Original Message- — 

From: Tavenner, Marilyn (CMS/OA) r m3iltQ| |Jj||^Jj|Jj|[||J||^^ 

Sent; Tuesday, July 23, 2013 8:48 AM 

To: Park, Todd; Lambrew, Jeanne; Khalid, Aryana C. (CMS/OA) 

Cc: Cavanaugh, Alicia A, (CMS/OA): Miiier, Ruth A. (CMS/OA) 

Subject: Touch base on issuers 

Can we try for a conference call this am. Among us to discuss issues. Thanks. 
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From: 

Sent 

To; 

Subject 


Tavenner, Marilyn (CMVOA) ^ 

Tuesday, July 23, 2013 8:43 PM 

Park, Todd; Giao, Henry {CMS/OIS); Snyder, Michelle (CMS/OA) 
Re: Meeting today 


Todd gave a great description ofthe meeting today -J 
Todd in our camp and knowledgeable is ver^'very heiprijili 


Having 


From; Park, Todd [mai[to| 

Sent Tuesday, July 23, 2013 08:18 PM 
To: Chao, Henry (CMS/OIS); Snyder, Michelle (CMS/OA) 
Cc: Tavenner, Marilyn (CMS/OA) 

Subject: M^ng today 



On another front, close hold, as a result of the fire drill last night/this morning, and conversations that have been had 
with BCBSA/AHIP in its aftermath, it looks like substantial Improvements will happen in terms ofthe dynamic on that 
front Marilyn will discuss with you in more detail. So hopefully that fire drill was not in vain. 


Massive, massive, massive gratitude again for everything that Team CMS has done and continuesta do may the Force 
continue to be with you, and God bless you, 

Todd 
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Letter submitted by Representative Scott Peters 



DEPARTMENT OF HEALTH & HUMAN SERVICES 


NOV 1 4 2m 


Centers tor Medicare & Medicaid Services 


Administrator 
WasNrtgton, DC 5Q2Q1 


The Honorable Darrel! Issa 
Cliairman 

Committee on Oversight and Government Reform 
U.S. House of Representatives 
Washington, DC 20515 

Dear Mr. Chairman: 

As follow up to your September 1 8*^ hearing, 1 am writing to update you that the Centers for 
Medicare & Medicaid Services’(CMS) resolved the 22 technical recommendations in the 
September 16"’ Government Accountability Office’s (GAO) report, “HeallhCare.gov; Actions 
Needed to Address Weaknesses in information Security and Privacy Controls.” We appreciate 
the GAO’s work in this area and are using industry best practices to appropriately safeguard 
consumer's personal information. No person or group has maliciously accessed personally 
identifiable informtuion from the site. 

CMS will continue to strengthen the security ofHeaiihCarc.gov throughout its second open 
enrollment period. I hope you find this information helpful and I look forward to working with 
you in the future on this important issue. 


Sincerely, 



Marilyn Tavenner 
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cc; Ranking Member Elijah Cummings 

Gene L. Dodaro, Comptroller General, Government Accountability Office 
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Minority staff report submitted by Ranking Member Eddie Bernice Johnson 


The View from "80,000 Feet": 

Todd Park in the Run Up to Healthcare.gov 



A staff report by the Minority Staff of the 
Committee on Science, Space, and Technology 
for Ranking Member Eddie Bernice Johnson 
and the Members of the Committee’s Democratic Caucus 


November 18, 2014 
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The View from “80,000 Feet”: 

Todd Park in the Run Up to Healthcare.gov 

To highlight the key findings of this report; 

1. There is ample evidence that Mr. Park played a very limited role in Healthcare.gov. He 
was the person in the White House that others turned to when they had questions or needs 
related to progress on the program. This produced a voluminous record of queries from 
Park to the top management on the project at the Centers for Medicare and Medicaid 
Services (CMS). Park was engaged in the effort to reach out to diverse communities, to 
huild excitement about gaining access to the healthcare Marketplace. CMS relied upon 
Park to assist them with interagency issues and in helping find resources when needed. 
None of that work could he described in any meaningful way as “substantial involvement 
with the development of the website’s privacy and security standards” or “intimately 
involved with the development of the Healthcare.gov website”. Those quotes come from 
the Majority’s staff report of October 28; 

2. Having examined the complete documentary record from the White House, there is no 
record that shows Mr. Park receiving the normal management tools that would be an 
indication of intimate involvement in development. He did not receive the monthly 
progress reports from contractors, nor are there records of any involvement in setting 
contract requirements or giving managerial direction. There is no record that shows him 
engaged in technical efforts at understanding or shaping the design or coding of the 
Healthcare.gov web site. Those responsibilities were retained at CMS. 

3. Based on a complete review of records, the Minority staff conclude there is no credible 
basis for an allegation that Mr. Park misrepresented his involvement in Healthcare.gov in 
his testimony before the House Oversight and Government Reform Committee on 
November 13, 2013; 

4. Based on a complete review of records, the Minority staff conclude that there is no 
credible basis for an allegation that Dr. Holdren misled the House Science, Space, and 
Technology Committee in his representations about Mr. Park's and OSTP’s involvement 
in cybersecurity in the development ofHealthcare.gov; 

5. The Science, Space, and Technology Committee’s Majority report of October 28, 2014, 
which made serious allegations suggesting that Mr. Park misled another Committee and 
Dr. Holdren misled our Committee, relied on a creative mixing of documents, from 
different people and periods of time, to try to create the impression that the allegations 
against Mr. Park and Dr. Holdren should be taken seriously. The Majority report also 
misquotes Mr. Park on a significant matter that unfairly suggests Mr. Park was not 
truthful in his testimony before another Committee — we recommend that Members seek 
to have the Majority correct that record immediately; 

6. There is no evidence that Dr. Holdren had any meaningful involvement in Healthcare.gov 
issues, and Park does not include him in his circle of officials engaged in the education 
and outreach work on the launch of the Marketplace; 
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7. The Majority attempted to ambush Mr. Park in a fake “briefing” where they were going 
to surprise him with accusatory questions, selective documents, and a transcriptionist. 
When the White House, nervous about the transcriptionist, backed out, the Majority 
issued an accusatory report to push an unfair and unsustainable story-line that attacks Mr. 
Park’s veracity and his reputation. There is no justification for such di.srespectful conduct 
towards Mr. Park. 


BACKGROUND 

This staff report is designed to provide background context and detailed documentary evidence 
regarding a hearing to be held by the Oversight Subcommittee titled, “The Role of the White 
House Chief Technology Officer in the Healthcare.gov Website Debacle.” This Committee has 
held two prior hearings on Healthcare.gov and has sent several letters related to the site to the 
Administration, but the focus of all prior work has been cybersecurity on the site.* The title of 
the upcoming hearing suggests that the Science, Space, and Technology Committee has shifted 
its focus from an area of clear jurisdiction, cybersecurity, to a broader set of que.stions about 
program performance. The program was managed and launched by the Centers of Medicare and 
Medicaid Services (CMS), an office at the Department of Health and Human Services that is not 
typically considered to be in the Committee’s jurisdiction. No officials at the White House had 
anything to do with the day-to-day management of the army of contractors who were responsible 
for carrying out all aspects of the project. 

The Majority have telegraphed their messaging for this hearing both in their choice of a hearing 
title and also in a staff report released October 28, 2014. 'fhat report was titled, “Did the White 
House Knowingly Put Americans’ Sensitive Information at Risk? Committee Seeks to Clarify 
Contradictions Surrounding Senior White House Official’s Role in Developing Healthcare.gov.” 
That report makes several serious sounding allegations on very thin or tortured readings of an 
incomplete documentary record. The Majority report presents a pastiche of quotes and memos 
cited from different time frames, mixed together in clever but misleading ways, with many of the 
quotes in the report not involving Mr. Park at all and with no effort to clarify which of those 
things he may have known and which he certainly did not know. 

Yet this stew of statements are woven together in a way that attempts to set the stage for a claim 
that both Mr. Park, the former Chief Technology Officer and Special Assistant to the President, 
and Dr. Holdren, the Director of the Office of Science and Technology Policy (colloquially, the 
President’s science advisor), misled the Committee on Oversight and Government Reform and 
the Committee on Science, Space, and Technology. The report quotes, and, in one instance, 
misquotes, Mr. Park to prove tlie central allegations of the report; that Park was “intimately 
involved with the development of the Hcalthcare.gov website.” and he had “substantial 


'. U.S. House of Representatives. Committee on Science, Space, and Technology. Is My Data on 
Healthcare.gov Secure? , Hearing. 19 Nov 2013. 113* Congress. U.S. House of Representatives. 
Committee on Science, Space, and Technology. Healthcare.gov: Consequences of Stolen 
Identity, Hearing. 16 Jan 2014. 113* Congress. 
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involvement with the development of the website’s privacy and security standards”. If those 
claims were true, Mr. Park could be accused of misrepresenting his position in testimony before 
Chairman Issa on November 13, 2014. And if the second allegation were true it may also lead to 
a conclusion that Dr, Holdren made misleading representations to this Committee. These 
allegations, if supported by documentary evidence or witness testimony, could potentially place 
Mr. Park in legal jeopardy. Given the large personal stakes for Mr. Park, the irresponsible way 
the Majority manipulate the record to try to support their incredible claims is especially 
disturbing. 

Two of Mr. Park’s quotes from the November 13, 2013 House Oversight hearing are made much 
of in the Majority report. 

When Park was asked if, knowing how October 1 turned out, he would have asked to see the site 
launch “delayed or pushed back,” Park responded: 

“I don’t actually have a really detailed knowledge base of what actually 
happened pre-October 1. I don’t know what levers were available. So I 
would hesitate to make any point now.”^ 

When asked about how much more testing of the website Park would have done prior to 
launching, the Majority report reads: 

“I am not even familiar with the development and testing regimen that 
happened prior to October I. So I can’t really opine about that.”^ 

This second quote is particularly threatening to Park because there is a significant e-mail chain of 
July, 2013 that shows Park getting a detailed account of development and (non-cyber) testing 
from Henry Chao (Deputy CIO, CMS) and Michelle Snyder (COO, CMS).’* This chain calls into 
question the seemingly absolute claim made by Park. However, the Majority staff report, 
drawing from the “official” transcript produced by the Majority of that Committee, 


^ “Did the White House Knowingly Put Americans’ Sensitive Information at Risk? Committee 
Seeks to Clarify Contradictions Surrounding Senior White House Official's Role in Developing 
Healthcare.gov,” A Report by the Majority Staff of the Science, Space, and Technology 
Committee, U.S. House of Representatives to Chairman Lamar Smith, Commiittee on Science, 
Space, and Technology and Chairman Paul Broun, Subcommittee on Oversight, October [28] 
2014, p. 6. 

** Ibid, p. 6. 

'*. Exhibit 1 contains White House records that show a common pattern for Park: he is tasked by 
the White House to learn something; he turns to Chao and Snyder for information; then reduces 
their information into a bite-sized chunk. In this example he takes four pages of detailed testing 
and roll-out information from CMS and turns it into a 4 point Powerpoint slide for a White 
House briefing. 
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misquotes Mr. Park’s reply. Instead of claiming he was “not even familiar”, what Mr. Park 
said was: 

“I am not deeply familiar with the development and testing regimen that 

happened prior to October 1.” ’ 

The official Oversight and Government Committee transcript is contradicted by commercial 
news service transcripts on this point. More importantly the recording of the hearing bears out 
that the Majority got it wrong, Mr. Park says “not deeply familiar”. We cannot account for the 
transcription practices of another Committee, but our initial inquiries to the White House and 
suggest that the Oversight and Government Reform Committee did not submit the transcript to 
them for review. There is a world of difference between what appears to be an absolute denial of 
knowledge (“not even familiar”) and a qualified denial of knowledge. The documentary record 
from the White House shows no reason to believe that Park’s actual statement is at all inaccurate. 
The bottom line is that the Majority staff of this Committee used an inaccurate quote to try to 
make it appear Mr. Park perjured himself. 

The Majority staff report made these poorly 
documented allegations before receiving White House 
materials from the critical months prior to launch of 
Healthcare.gov (May through October 1 of 20 1 3). 

Now, the White House has turned over thousands of 
pages of documents that shed more light on Mr. 

Park’s involvement in Healthcare.gov. Upon a 
review of that fuller documentary record, it is 
impossible to sustain an assessment that Park was, as 
the Majority report put it, “intimately involved with 
the development of the Healthcare.gov website.” 

Based on the most recent White House document production, it is easy to demonstrate that Park 
gathers a lot of information on a wide array of issues related to the program. However, using the 
description that he was “intimately involved” in the project implies a direct, daily managerial 
contact with the army of contractors. There is no document that shows such contact. In fact, the 

Page 98 of the transcript from the Issa hearing with Todd Park has this quote - in response to a 
question from Congressman Gowdy about testing before the launch of the site on October 1st: 

Mr. PARK. 1 am not even familiar with the development and testing regimen that happened prior 
to October 1 . So I can’t really opine about that.” In Part 2 of the video linked below, at about 
22: 1 5 seconds, in response to Congressman Gowdy’s question on testing Park actually says: Mr. 
PARK. “1 am not deeply familiar with the development and testing regimen that happened prior 
to October I. So I can’t really opine about that.” http://oversight.house.gov/hearing/obamacare- 
implementation-rollout-healthcare-gov7 Page 47 of the Federal News Service transcript, has 
Todd Park saying: MR. PARK: So I'm not deeply familiar with the development testing 
(regimen ?) that happened prior to October I, so I can't really opine about that — (inaudible). 


“The bottom line is that the 
Majority staff of this 
Committee used an 
inaccurate quote to try to 
make it appear Mr. Park 
perjured himself.” 
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documents reveal largely superficial contacts with contractors, usually mediated by CMS staff 
and focused on morale building rather than web design. This report highlights several examples 
of Park’s real role— what it was and what it was not— and we are attaching over a hundred pages 
of previously unreleased White House materials so that people can come to their own opinion. 

There is circumstantial evidence that the Majority has an animus towards Mr. Park, and that 
evidence rests on activities that are largely outside the public’s view. In both the meeting of the 
Subcommittee to issue a subpoena for Mr. Park and in their staff report, the Majority make much 
of the fact that Mr. Park cancelled an appearanee for a Subcommittee Member’s briefing for 
scheduled for September 10, but they have not been transparent about what led to that 
cancellation or their plans for that event.® In August, the Majority received documents from the 
Committee on Oversight and Government Reform that eovered communications between HHS 
and Mr. Park. This Committee had not previously received those materials, and the Majority 
staff relied upon these materials to write their accusatory October 28 report. However, the 
Majority did not tell Mr. Park or the White House that they had received those materials. The 
Majority were even reluctant to tell the White House that they had engaged a court reporter to 
make a transcript of the “briefing.” The Majority appeared to be welcoming Mr. Park to come 
brief them, while planning to get him into the room, without counsel and without notice that they 
possessed materials they believed would show he had misrepresented himself, and transcribe the 
confrontation. The Majority’s planned September 10 ambush of Mr. Park was designed to place 
him in serious legal jeopardy. If this conduct does not telegraph animus, and disrespect, it is 
hard to know what would. 

In evaluating the claims that Mr. Park was “intimately involved with the development of the 
Healthcare.gov website” and had “substantial involvement with the development of the website’s 
privacy and security standards”, one cannot lose sight of the fact that the development of the site 
was a product of contractual relations between CMS and the contractors on the project. By law, 
only CMS officials could set or change requirements and define deliverables. In none of the 
material provided to the Committee is there any evidence that anyone at the White House, and 
certainly not the Chief Technology Officer (CTO), took any step that directed requirements or 
deliverables. Nor are any of the usual documents used to maintain insight and control over a 
project— especially the monthly performance reports from contractors-found in the White House 
records. 

In an interview with the House Oversight and Government Refonn Committee, Michelle Snyder, 
the Chief Operating Offieer at CMS (and Henry Chao’s direct superviser on the development 
project) was asked about Park’s role in the development and she said this: 


® Withdrawal from the briefing is mentioned on the second page of the body of the Majority’s 
staff report. “Risk?,” p. 4. 
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“I would say with Todd, you know, Todd operates at a — and again a good way to 
think of this is, if I say Henry is ground level, and I’m 40,000 or 50,000 feet, 

Todd is 80,000 feet.” 

The actual documentary record confirms Snyder’s 
characterization. The records demonstrate that Park 
did not have intimate day-to-day exposure to the 
program, the contractors, the development’s progress 
or problems, and he had no authority to tell anyone to 
do anything. He dipped in and out ofHealthcare.gov 
as his leadership’s needs bubbled up or requests for 
help with resources or interagency issues came to him 
from CMS. He ended up covering a lot of different 
issues with the experts at CMS, but his involvement 
was not sustained and it was not a managerial 
involvement. He served more like a press secretary or 
legislative assistant— to use an analogy that makes 
sense in the context of Congressional offices— where he 
asked questions of the experts, gathered some materials 
from them and then boiled it all down to a powerpoint slide or a few bullet points for use with 
the press. Park’s exposure to the development ofHealthcare.gov was wide but not deep, 
episodic not constant, and acting as a supporter not manager. Based on the documentary record 
from the critical months of May to October of 2013, the most accurate description of Todd Park 
on Healthcare.gov development is that he was a knowledgeable outsider to the development and 
validation of the website prior to October I, 2013. 

“Park’s exposure to the development of 
Healthcare.gov was wide but not deep, episodic not 
constant, and acting as a supporter not manager.” 


“(I)f I say Henry 
is ground level, 
and I’m 40,000 or 
50,000 feet, Todd 
is 80,000 feet.” 

Michelle Snyder, Chief 
Operating Officer, CMS 


TODD PARK AS CHIEF TECHNOLOGY OFFICER OF THE UNITED STATES 

Todd Park left a highly successful career in the IT innovation world to join the Obama 
Administration, first (in 2009) as CTO for HHS and then, in March of 2012, President Obama 
named him Chief Technology Office of the United States, Park had co-founded athenahealth in 
1997 and then in 2008 co-founded Castlight Health. Both firms were very successful working in 
the market space of providing information technology tools to make healthcare delivery more 

^ . Transcript of Interview with Michelle Snyder by the staff of the Oversight and Government 
Reform Committee, December 3, 2013, p. 192. 
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effective and efficient. His co-founder at athenahealth was Jonathan S. Bush, a cousin of 
President George W. Bush. 

The receipt of over 8000 pages of White House documents related to Healthcare.gov responsive 
to the Committee’s request, is useful for the work of the Committee, but distorts Mr, Park’s 
actual work. While no one denies that Mr. Park had contact with CMS regarding issues related 
to tlealthcare.gov, it would be a mistake to pigeon-hole Park solely as the “HealthCare.Gov” guy 
in the White House. As CTO in the White House, Park oversaw multiple efforts to use IT and 
the internet as a means to make the government more responsive and transparent to the people, 
and to take steps to spur the spread and infusion of technology across the economy and society, * 
While his position certainly gave him extraordinary insight into how things were unfolding in the 
development of an online healthcare marketplace, his attention was pulled across a wide range of 
initiatives simultaneously. The Majority are trying to define Park’s job as solely about 
developing the online Marketplace, Healthcare.gov, but he did not have the luxury to work on 
that and nothing else for the months leading up to its launch. 

Park led initiatives aimed at a wide swath of opportunities to use technology in creative ways. 

He was re.sponsible for the Open Data initiative to put government data on energy, health, 
education, finance, public safety and global development online. He oversaw “My Data” which 
is designed to give citizens secure access to personal information about themselves with 
initiatives such as “green button”-where private sector energy companies make data about 
energy usage available to consumers. Initiatives to improve disaster response and to fight human 
trafficking also fell to the CTO. The CTO was engaged in “ConnectEd”, an initiative to expand 
broadband access for k-12 schools and to improve training and course materials available to 
teachers for digital learning. The CTO was also supporting a wide-ranging effort to use the free 
up more spectrum to spur innovation and bring more, higher quality services to consumers and 
businesses. The CTO worked on internet policy for the Administration, including how to 
balance online privacy against the need for an open, innovative internet. Park established the 
Presidential Innovation Fellows program to attract bright innovators from the private sector to 
come work for up to a year with a paired innovative government official to address a targeted 
problem. The CTO also works on the President’s “Open Government” initiative to make the 
government more transparent, responsive and collaborative. 

These were initiatives “owned” by the CTO. In almost all of these areas. Park is overseeing an 
interagency process that would require a lot of collaboration, communication and cajoling of 
agencies to make progress. A fuller examination of Park’s record of emails would reveal the 
breadth and energy of Park’s involvement as CTO; Heahhcare.gov was just a small piece in a 
very large pie. Park brought to his job the experiences of leading successful startups in the 
competitive, fast paced IT and venture capital world. His approach relies on “open innovation” 
or “crowdsourcing” and the “Lean Startup” philosophy of getting small, dedicated teams focused 


* Exhibit 2. This profile from the New York Times provides a good exposure to how Park was 
thinking about Information Technology challenges as CTO and the profile is not all about 
Heahhcare.gov in large part because Park’s job was much larger than just that. 
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on achieving what is doable, and then, through rapid innovation and continuous improvement, 
building out from that base. Park was trying to bring these values to his work across the board as 
CTO. 

Park was pulled into work on Healthcare.gov by colleagues at the White House or at CMS when 
they had specific needs. He was clearly trusted by all sides to understand the challenges of a 
technology start-up, which is essentially what CMS was doing in their development of the 
website. However, he himself had a full time job just tending to the CTO’s wide portfolio of 
initiatives and Healthcare.gov was very much a sideline that left Park at a very great distance 
from the day-to-day management of the project. 

This is not to say that Park was not tempted to ask questions and brainstorm with technical 
people working on the Healthcare.gov project when he had the chance— he had been a brilliant 
developer in his start-ups. But he did not have the bandwidth to stick in that role, knew that too 
much interference would actually hinder the build being managed by CMS, and, on those rare 
occasions when he slipped up, CMS was not afraid to yank his chain and tell him to back off. 

9 EXAMPLES THAT TODD PARK WAS NOT INTIMATELY INVOLVED IN 
DEVELOPING HEALTHCARE.GOV 

The attached documents are designed to let fair-minded readers form their own opinions, but we 
believe that the evidence on Park’s role is very clear and can be well illustrated with nine 
examples. 

1. Park and the White House Could Not Direct Contractors 

On June 29, 2013, the Deputy Chief Information Officer at CMS, Henry Chao wrote to Park 
regarding a meeting Park had with a subcontractor, Ideo. Chao wrote, 

“I wanted to talk to you about a meeting you had with Ideo. Apparently 
something was misinterpreted from what you said and the top dog you met with 
circled back to OC [the CMS Office of Communications; OC was in charge of 
certain key elements of the user experience interface] and started to work on an 
alternate rendering of the paper form as if they were instructed to follow a 
different set of requirements. This is a pretty big issue since Ideo does not get to 
change requirements and scope without it coming from CMS directly. If there’s 
anything you can do to help clear this up we would greatly appreciate it, or rather 
the program would appreciate it since it will hold the line of confusion and risk.” 

Park responds, "Will work on making (this) happen as you’ve requested and report back!” Mary 
Wallace, Deputy Director in the Office of Communications at CMS reinforced Chao’s message: 

"... I think the real concern is to not have contractors trying to interpret what they 
think you or others from HHS or the White House asked them to do. The biggest 
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help would be for ail of you to carry the message that the best thing IDEO (or any 
contractor) can do is what CMS is asking them to do... We have a lot of 
contractors supporting this effort and we are working hard to keep them all on the 
right track to get everything done in time.” 

Park responds: “Hi Mary, thank you for the flag, will absolutely do!” 

Todd reports back that same day, “Hi team, just pinged Team IDEO (including the CEO) and 
said that they should be sure to follow CMS’s lead, and that CMS is the unambiguous 
operational leader of all of the Marketplace work, in case that wasn’t clear ©... But what I’ve 
clarified in our follow-up ping is that we are going to circle back with CMS on this (to 
understand current UX [user experience] decisionmaking process and if any further support/air 
cover for user-centric-ness is needed on an ongoing basis...” fhere is no evidence that this 
“circle back” ever happens, and as the record revealed. Park himself could not get a hands-on 
user experience of the website until September. However, this exchange shows that CMS was 
clearly in charge — the keepers of requirements and scope on the pro ject and the only ones with 
the power to direct contractors. It also reveals that Park’s natural orientation is not towards a 
deep understanding of the scope and requirements of the contract or an appreciation of the 
challenges of managing and integrating a large team of Federal contractors; those issues, which 
lie at the heart of what was delivered on October I, were solely the domain of CMS.* 

2. CMS Refuses Park’s Offer to Help with “Creative Solutions” on Spanish 
Translation 

On September 12, Park sends a note to Marilynn Tavenner about why the roll-out of functional 
Spanish language translation for the Healthcare.gov site would not be ready by October 1. 
“Macon (Phillips, White House Director of New Media) pinged me, and asked what the root of 
the technical issue was and if a creative solution might be possible. I said that I would check 
with you © Might you be able to circle back with your tech team on this question? If it would 
be even remotely helpful, I would be more than happy to join the technical conversation as well.” 
In a follow up e-mail that same day, Park writes, “To help with internal understanding here at the 
WH (and therefore with mobilizing energy and help for external messaging!) would you mind if 
I got on the phone with Henry [Chao] for 5 min to get a quick download on the tech details?” 

Tavenner says, “Yes, but go through Michelle [Snyder— the Chief Operating Officer at CMS] 
first. . . Todd I need folks to understand the VERY best way they can help us -is to reach out to 
the advocates -educate them and gamer their energy/support.” Tavenner loops in Aryana Khalid 
[Senior Advisor to Snyder[ of CMS who responds to Park and closes with: “I know you are 
trying to help us and we so appreciate it. What we need is folks focusing on what they can do 
which is the messaging and talking to the advocates, not focusing on the IT or trying to come up 
with creative solutions to solve this. I hope this makes sense.”'® 

* Exhibit 3. 

'® Exhibit 4. 
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“What we need is folks focusing on what they can do 
which is the messaging and talking to the advocates, not 
focusing on the IT or trying to come up with creative 
solutions to solve this.” 

Aryana Khalid, CMS to Todd Park, White House, CTO, September 12, 2013 


Note that at this point, Park feels the need to ask permission to interrupt Henry Chao, who was 
doing the day-to-day management of the contractors on the project, to get 5 minutes to pursue 
this question. How can anyone sereiously think Park is intimately involved in carrying the 
technical side of the program to completion? In any case, the response to his offer of technical 
assistance is a very clear message to stay in the lane of education and outreach and not to get in 
the way of delivery on the system through technical interventions. Park does not press his offer. 

3. Chao Kills “Open Innovation” on Healthcare.gov 

The start-up philosophy that was espoused by Park and others at the White House ran right into 
the wall of Henry Chao’s awareness that he had to build a site that would meet federal security 
standards and not multiply opportunities for fraud. In this clash of cultures, Chao was a clear 
winner. 

On June 22, David Simas (WH Deputy Senior Advisor for Communications and Strategy) starts 
a long e-mail chain titled "this is great” about a blog post by Alex Howard. He sends his note to 
Park and Tara McGuinness (Senior WH Communications Advisor working Healthcare.gov). 
Park replies, adding Bryan Sivak (CTO/HHS) to the chain, 

“I believe what Alex Howard is discussing in this (great) piece is the new 
Healthcare.gov content site, which is up and running, and for which the code has 
been posted on Github (an online repository for open source code). The content 
site will front-end the Marketplace — but the actual Marketplace eligibility- 
checking/enrollment/plan compare functionality is not up yet. Bryan, can you 
confirm/elaborate? Thanks!” 

Sivak offers a long reply that includes: 

“we are going to publish the code this week... if you take a look at the 
/developers page you’ll see that we have detailed the programmatic mechanisms 
for accessing content, but have a ’’coming soon” where the links to the GitHub 
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repos are. . . This is a paradigm shift for the federal government and the fact that 
its happening on Healthcare.gov is a really big deal for the tech community.” 

There is more back and forth on this, focused primarily about how to get the word out about this 
innovation to the technology press/community, but the basic point is that letting other developers 
look at the code can be used as a means to quickly optimize performance and even expand 
functionality. This is a clear manifestation of a private sector approach of “crowdsourcing” 
innovation applied to the government, Github’s slogan is: “Build software better, together.” 

However, Henry Chao weighs in a few days later. On June 28 he writes to a long list, including 
Sivak, Park and all the key CMS people: 

“1 want to express my reservations about putting nearly all the source code for the 
hc.gov/Marketplaee Portal Website on Github and making it available for 
absolutely anyone in the entire world to use. While in its current state it does not 
eontain the code for the Online Application, someone with less than honorable 
intentions can easily stand up a shadow site that would fake out the general public 
and they can do it easily and literally in just a day or less. While I believe and 
support sharing and being open about our codebase 1 think we have to balance 
that with safeguarding security, privacy, and the publie trust.” 

That email squashed future GitHub releases of code and the sensitive “baekend” of the program 
was never put up." This chain illustrates the culture clash between the entrepreneurial practices 
from Silicon Valley and the complex statutory and regulatory environment that the day-to-day 
managers of a multi-billion dollar acquisition know they have to live with.'^ In this area, the 
second set of considerations trumped the “innovation” of the first set of values. Also, one can’t 
lose sight of the fact that the discussion around this matter is about how to work the press to get 
maximum exposure for progress on Healthcare.gov. 

4. Park Not Welcome at July “Readiness Review” 

In July, Park spends five hours in a “deep dive” briefing with Henry Chao to understand how 
development of the Marketplace was proceeding (this appears to be the only “deep dive” 
between July 1 and October 1). Chao would have been boiling down hundreds of hours of work 
across the full array of development issues to give Park a sense of where they are because Park 
did not have that kind of time to give to the project. Park asks if he can attend one of the 
upcoming Readiness Review meetings that was to be an end-to-end walk through to cover where 
things stood with CMS and all the contractors. Chao initially seems to agree because he has 
Todd’s scheduler engaged to set time aside for Park. 


". Adrianne Jeffries, “Why the government unpublished the source code for Healthcare.gov,” 
The Verge . October 18, 2013. 
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In an email that goes to Tavenner, Khaiid, Snyder and Chao, Park writes: 


“I am very much looking forward to being 
a fly on the wall at the E&E readiness 
review on the 19th. I’ll be able to attend 
from 1 1 am to 4 pm... David Simas is veiy 
interested in being a fly on the wall for a 
walkthrough of the FFM web workflow, and 
also would love to soak up a sense of the 
underlying complexity of the overall 
Mktpiace machine. ... he would really 
appreciate the opportunity, and/but also 
doesn’t want to disrupt things in any way.... 

(FYI, I’ve briefed him in detail about the fact 
that we’ve locked down business 
requirements and are in pure operational 
execution mode for Octl/Jan I). Thoughts?” 

It takes 9 minutes for Snyder to respond: 

“We need to talk abt (about) attendance at readiness reviews. I am sure you can 
anticipate my position on that Flys on the wall are seldom invisible and often 
distracting!!!!” 

Chao weighs in half-an-hour later: 

“My recommendation is that the readiness review in which we conduct (sic) is not 
really conducive for being an observer at this point and we should stick to the 
briefing format for you at various intervals.” 

Park then graciously withdraws from the event. 

5. Park Can’t Get a Hands-on Walkthrough ofHealthcare.gov 

Beginning in July, Park asks Snyder and Chao if he can come do a walk-through of the live 
system. First he asks for a hands-on “tour” in Baltimore for August 5. After much negotiation 
(partly because others from the White House want to come), they set a time for the evening of 
August 8. On August 2, Chao writes to Park saying that Snyder has advised that the WH tour 
should be combined with a similar visit by Marilynn Tavenner expected to happen the week of 
August 26. Park says fine and explains to his colleagues that the exercise was being postponed. 
On August 22, Tavenner writes that she is on vacation that week and would look to do a 
walkthrough the week of September 3. So the live experience of the system Park tried to 
arrange for early August did not occur until at least September 3. It is hard to reconcile the 
claim that Park was deeply involved in the development ofHealthcare.gov with the reality that 


“Flys on the wall 
are seldom 
invisible and often 
distracting!!!” 

Michelle Snyder to Todd Park about 
attending an all-contractor 
readiness review on July 19. 
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Park could not even get access to the web site experience as it was being developed. And when 
he finally gets what he asked for does it is in the context of a big group visit.'^ 

“It is hard to reconcile the claim that Park was 
deeply involved in the development of 
Healthcare.gov with the reality that Park could not 
even get access to the web site experience as it was 
being developed.” 


Keeping Park on a short leash for his contact with technical people, precisely to guarantee that he 
does not distract them from their tasks, leads to this amusing exchange regarding a September 24 
visit to the Herndon center. Snyder writes to Chao, Park and Tavenner: 

“I have requested that the security cameras at Herndon be loaded 
with facial recognition software so that if either of you [Park or 
Tavenner] wander into a restricted area armed with a set of 
questions alarms will sound...” 

Park responds: “Will absolutely obey all instructions with precision!! And really looking 
forward to the visit - and more than anything, thanking everyone from the bottom of our 
collective hearts for the truly incredible work they are doing ©” Tavenner reports back later: “I 
kept Todd under control (well sort of). Henry thanks for a great visit!!!” 

6. CMS Uses Park to Help When They Have WH, Interagency or Resource 
Issues 

Park intervenes on several occasions to help CMS (most often at the behest of Henry Chao) out 
of jams of one kind of another. Park is tireless and uncomplaining when given these tasks and 
clearly views it as something he can do to help create the space for CMS to succeed in managing 
the program. Park speaks directly with Blue Cross and Blue Shield executives about why logos 
cannot be integrated into the site by October 1, and also lets WH staff who may be interested in 
helping BCBSA push back know that it could create program risk.'^ Park helps Henry in August 
by arranging a call with executives from RedHat to make sure their very best people are put on 
Healthcare.gov development, and to ask for very specific types of specialists that Chao needs. 

“ Exhibit 7. 
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When it succeeds, Park offers to contact the Federal agencies who would be losing some of those 
specialists in the “surge” around Healthcare.gov and also says if they need any other “surges” to 
just ask and he would pitch in to help make it happen. A few days before the system goes live, 
Tavenner asks Park to contact the state-based markets leaders— clearly a task she was to do but 
felt she could not make time for. He spent two days tracking all 1 5 state IT leaders down and 
reported back. 

In the last days before the Marketplace was to go live, Chao contacts Park to see if the White 
House can help arrange transport of server hardware from Florida to Culpeper, Virginia so that 
the communications center CMS had there could handle the expected volume of consumers 
logging onto the site. Park dutifully goes up his chain to see what is possible while helping them 
try to find a private sector solution. In the end, Verizon and CMS find that FedEx can do it using 
a special service and they go with that option.'^ Park’s behavior clearly shows that he views 
himself as a resource multiplier for CMS, and he is always ready to throw his weight behind their 
requests for help. 

7. Park is an Information Aggregator for the White House: Cybersecurity 1 

As CMS uses Park to mobilize assistance from the White House — provide “air cover” in Park’s 
phrasing — staff at the White House turn to Todd Park to get information from CMS on a host of 
issues related to Healthcare.gov— records provided to the Committee show him doing this on 
development in July for a WH briefing and on Hispanic community outreach in September. 
However, much has been made by the Majority of Park’s “involvement” in cybersecurity, and so 
we believe that matter should be dealt with in detail. A review of the broad documentary record 
provided by the White House makes it very clear that Park is engaged in this matter in the 
August-September timeframe in response to concerns by the people he works for at the White 
House who desire to have a clear, convincing message on security. The White House was very 
aware that the press and Republican Members of Congress, were starting to spin up stories about 
the security of the site and so it was natural for White House staff to get up to speed on the 
development’s progress and to directly address any interagency needs for policy. At this time, 
there is also a report out from the HHS Inspector General about testing and security of the Data 
Hub part of the development for Healthcarc.gov. 

Park’s communications throughout this time clearly reflect his role is almost exclusively about 
message development and information gathering. He most definitely was not managing 
cybersecurity development of Healthcare.gov. 

In August, the WH begins to ask questions regarding cybersecurity and privacy; Todd Park is 
tasked with gathering information. Park turns to the experts at CMS for help. On August 23, he 
writes to Michelle Snyder, Tony Trenkle, and Marilynn Tavenner with a subject, “Cybersecurity 
bullet points needed,” “WH folks would love to get three basic bullet points describing how 

Exhibit 10. 

’’ Exhibit 11. 


14 



210 


wc will protect the Marketplace from t^berattack. Many apologies, but if we could get these 
by COB today, that would be fantastic is that possible? Below are three strawcase bullet points 
folks have drafted feci free to edit/change any way you see fit. See notes following each bullet 
as well.” 

It is not elear that Park even drafted these bullets, but the questions he writes are revealing of his 
lack of confidence in the points. On the first point he notes, “want to make sure this is 
stated/framed accurately.” On the second point he writes, “you may want to replace this bullet 
entirely with another bullet that describes CMS’s cybersecurity approach and capabilities. If you 
want to add more than one bullet on that, that’s also totally cool.” In the event, CMS rewrites all 
three points with the first and second point reflecting substantially new information.'* 

This exchange sets the stage for an email thread titled, “Cyber next steps,” which is made much 
of in the October 28 Majority staff report’s effort to paint Park as intimately involved in 
decisionmaking around cybersecurity. The origins of the string are not clear in the materials 
included in the Majority’s report, but documents provided by the White House suggest there was 
a push to get a coherent message together due to external inquiries. The first email is from Park 
to Tony Trenkle with a cc to Michelle Snyder and it lays out three points. The first point is: 

“We should convene a work session in the next 
week with you, Teresa, Frank Baitman [CIO at 
HHS], his CISO, and probably a DHS person 
and DOJ person (she [Snyder] was thinking 
someone who has experience going after 
cyberattackers), plus any other folks you want to 
have there to discuss how to protect the 
Marketplace from cyberattack. This would 
include a discussion of our defenses, the threats, 
and our responses to the threats. 1 would 
absolutely love to be part of as much of this 
meeting as I can, but also don't want to be a 
scheduling bottleneck, and it should really 
happen sooner rather than later. . . You should 
go ahead and schedule the meeting, and 1 will 
try to be there for as much of it as 1 possibly 
can!” 


“I would absolutely love to 
be part of as much of this 
meeting as I can, but also 
don’t want to be a 
scheduling bottleneck, and 
it should really happen 
sooner rather than later.” 

Park to CMS staff in discussing the 
need to have an interagency meeting 
on cybersecurity and the 
Marketplace, August 28, 2013 


Park’s note makes elear that he does not view himself as central to the substance of the 
cybersecurity discussion that is proposed--the conversation can go on without him. That is not 
the attitude of a person who is directly involved in shaping cybersecurity aspects of 
Healthcare.gov. And the point of the meeting would be a memo for the White House that lays 
out response steps for protecting the site from malicious attack. 

‘“Exhibit 12. 
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Later, that very same day (August 28), he again writes to Tony Trenkie, Michelle Snyder, Frank 
Baitman and Aryana Khalid: 

“Aryana and I were also just in a meeting where we got some additional insight 
that is helpful: 

• There is a cyber and ACA subcommittee hearing happening on 
September 1 1, so it probably makes sense to target putting together a 
memo by end of next week (and talking with Alex Karp by the end of 
next week to help inform the memo will try to set up time with him 
for Thursday the 5tlt) 

• It sounds like folks would like the memo to cover (1) our preparation 
for and defenses against cyberaltack, (2) what would our 
response/action be if an atlack/crisis happened, and (3) how would we 
prosecute attackers. The roster for the meeting Michelle 
recommended (to include DHS and also DOJ to handle the prosecute 
part) sounds spot on. 

• Potentially for incorporation in the memo: external validators who 
could speak to the quality and strength of CMS cyberdefenses, should 
that become useful. Alex Karp could he one, hut might you have 
others as well? 

The memo is again for internal eyes only, but it sounds like people will draw from 
it in appropriate ways for external communications purposes as well,” 

This email puts tlie first one in the chain in a clearer light. White House concerns about having a 
strong, clear message on cybersccurity, and making sure there was a coherent interagency 
strategy, drove Snyder, Trenkie and Park to begin planning. What must have been an 
interagency meeting provided Park with more clarity about exactly what was desired by the WH 
for the memo. 

The idea that it was an interagency meeting on ACA is confirmed by an email on August 29 
from Edward Siskel (White House Counsel) to a long list of White House staff (Todd Park is 
among them) and including representatives from Justice, HHS, the Federal Trade Commission 
and probably DHS. Siskel wrote, “Thanks again for participating in yesterday’s meeting and for 
all the work you have been doing to help protect consumers during the roll-out of the 
Marketplaces. Below is a list of do-outs from the meeting based on my notes.” All of the to- 
do’s on this document have to do with public education materials regarding fraud and an effort to 
identify external validators who can speak to “public education/outreach, intake process, value of 
Sentinel, prosecution, etc.” 

There are several places in the records where Park helps locate or asks for “external validators.” 
This is a strategy whereby a quotable expert is found who can confirm for reporters that a 
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particular plan or point is credible, 'fliis is a common technique that is used in Congress as well 
as the White House. When a story is pushed out, those doing the pushing also provide the names 
of experts who can speak to the credibility of the claim to “validate” the story. 

Starting September 2, there is a (relevant) new thread started by Todd Park in an email to Chris 
Jennings, the President’s Senior Healthcare advisor. The email contains “cybersecurity 
background points for (redacted).” We know the redacted meeting referred to was a scheduled 
Presidential briefing. Park shares the same points developed by CMS on August 23 with a few 
updates from the August 28 initiative. Jennings writes back to Park: 

“Ok, thanks Todd. Quite helpful and will serve as a placeholder for (redacted) We need 
to have all of this locked down for the September 1 Ith hearing we also have to have 
strong message with Justice, FTC, HHS and others for our enforcement event the week of 
the 16th. I know we had reference somewhere to current federal standards sand how they 
exceed private sector as well as track record of protection from attacks. Can you or 
someone provide that reference for me to bolster confidence building tomorrow? Thanks 
much for all. And safe and fun travels my friend.” 


Park shares with CMS people looking for more details 
on the idea that federal standards are more rigorous 
than private sector standards. At 1 :38 am on 
September 3, Park sends to Jennings an expanded set 
of bullet points that addressed Jennings’ question. 

These were done up by Frank Baitman (HHS) and 
Tony Trenkle (CMS). Later, Chris Jennings writes 
back to everyone to thank them for their help and to 
report the meeting went well.’’ 

Instead of being a decisionmaker on cybersecurity. 

Park is involved here in what is an effort to prepare 
external messages and firm up interagency 
coordination on policy because of increased attention 
on The Hill and in the press. Significantly, nothing in 
these records suggests that Park is drilling down into 
the development of cyber.security tools in the 
Healthcare.gov website, or the testing of those 
methods or anything of substance about FISMA 
requirements— the things that the Committee has had 
testimony about in prior hearings. When Jennings 
refers in his September 2 email to how Federal websites have more rigorous security standards 
than the private sector. Park cannot respond in substance, but has to send it to CMS to handle the 
issue. Time and again, he turns to CMS for expert knowledge in an area he is not expert in to 
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“Significantly, nothing 
in these records 
suggests that Park is 
drilling down into the 
development of 
cybersecurity tools for 
the Healthcare.gov 
website, or the testing 
of those methods, or 
knows anything of 
substance about 
FISMA requirements” 
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inform the work of the White House. It is absurd to try to turn any part of this exchange into 
some evidence that Park had a substantial role in managing or developing cybersecurity code, 
requirements, standards, testing or performance for the website itself. An important point to 
note: Henry Chao, who is so often Park’s contact on CMS issues, is not in charge of 
cybersecurity development for the site. 

8. Park as a Spokesman: Cybersecurity 2 

Not to diminish the value of spokesmen, but in complex, modem organizations they are rarely 
the principals in carrying out policy or directing resources. In his CTO hat, Todd Park often 
played the role of spokesman to the press regarding IT initiatives for the Administration. There 
are multiple examples of Park seeking information from CMS (not directing them to do things, 
but asking for their help) about Healthcare.gov in preparation for media contacts, but because 
cybersecurity is so important to the Majority’s (mis)characterization of Park, it is important to 
examine an example of how Park worked with CMS to prepare for a press call. 

On September 1 7, the Healthcare.gov team at the White House finished up editing and clearance 
on a press release entitled, “Obama Administration announces a coordinated interagency effort to 
prevent and detect consumer fraud in the Health Insurance Marketplace.” This is obviously a 
release which has its roots in the education and outreach effort Park participated in as discussed 
above in item 7. The Office of Communications sets up a background call with the press for 
September 18. Park writes to Jessica Sanlillo of White House Office of Communications, 

“Hi Jessica, I’m signed up to help with the call! 

Looping in Tony [Trenklc], Frank [Baitman], and 
Brian [Cook of CMS]. Two questions: 1. Is the 
call on background, or on the record? 2. Can 
Tony Trenkle and Frank Baitman join me on the 
call? They are the folks who know the details, 
and it would be super-helpful for them to be on.” 

Initially Santilio say.s that is fine and tells him the call 
will be on background according to “White House 
officials”. Then Communications decides the call should 
be WH only leading Park to write to Trenkle, Santilio, 
and Baitman (as well as others at CMS) 

“it looks like the background call tomorrow is 
with WH folks only, with detailed inquiries to be 
referred to agencies. . . I’ve let Jessica know that 
you guys are the font of detailed knowledge on 
CMS/HHS cyber and that I can talk to it at a 
general level only.” 


“I’ve let Jessica 
know that you guys 
are the font of 
detailed knowledge 
on CMS/HHS 
cyber and that I 
can talk to it at a 
general level only.” 

Park to Santilio, Trenkle, Baitman 
regarding an upcoming press call, 
September 17, 2013 
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This tone of acknowledging that the website technical experts reside at CMS is completely 
consistent with everything Park testified to before Chairman Issa on development more broadly 
and also is consistent with subsequent characterizations made by Dr. Holdren to this Committee. 

Park sends around talking points on cybersecurity for their review, but acknowledges they are 
drawn from the past materials that had already been worked up on the issue — meaning that CMS 
had already approved (and re-written) much of it before. The next day, September 1 8, the day of 
the call. Park writes to Trenkle and Baitman with additional questions. These are significant 
because they demonstrate the state of Park’s confidence in cybersecurity matters just two weeks 
before the roll-out of Healthcare.gov. The first question: 

“And Tony, one more background question: is it the case that the security testing 
is done by an independent contractor managed by CMS info security staff, and 
that the review of results, assessment, and signoff happen via you, the CISO, and 
CMS info security stafR Thanks!” 

Twenty minutes later he sends another email, 

“And Tony and Frank, sorry, one more background question: the press release 
today says: “Together with our interageney partners, CMS has developed a rapid 
response mechanism to respond to a potential data breach and mitigate the effects 
of attempts to jeopardize the integrity of the Hub and the database it connects” Is 
this the same thing as the Incident Response capability discussed in Marilyn’s 
letter, but with souped up interagency coordination? Or is it something 
different?” 

Trenkle confirms that he has both characterizations right. Baitman also sends a reply, but it is 
responding to another question that Park had buried in his draft talking points about how many 
Authority to Operate (ATO) security certificates would be issued for Hcalthcare.gov. Park 
thought there would be multiple ATO’s issued; Baitman says just one for whole system — this 
key point Park got wrong.^° 

It is significant that Park is uncertain about these very basic points. Anyone substantially 
involved in the cybersecurity side of Marketplace development would know these matters inside 
and out— they are sort of cybersecurity 101 questions. The fact that Park docs not seem to know 
who the security testing contractor is — typically in this kind of note he would mention the 
company — is another “tell” that Park is working in the shallow end of his knowledge pool. 

These questions illustrate that an effort to describe Park as intimately involved in cybersecurity 
development is simply ridiculous. Not to lose sight of the obvious: Park’s only reason for 
another crash course on cybersecurity was to serve as a spokesman with the press as a 
“White House Official” e.\plaining the Administration’s initiative. 
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9. Park Brings the Cupcakes: Tending Team Morale 

On the 28th Park writes to Chao: “I have permission from 
Michelle (Snyder) to bring y’all food tomorrow (the 29th) 
in Herndon on the condition that I leave immediately after 
delivering the food and not involve you in a long and 
super-interesting conversation that takes time away from 
your incredibly important work ©” Park offers to bring 
lunch or dinner, but Chao indicates meals are covered and 
tells Park, “you are in charge of the out of the ordinary 
surprises.” 

Park goes to Georgetown cupcakes to get 150 cupcakes 
and Haagcn Daz for ice cream. He tells Chao that his 
father is driving him to Herndon, and that he will deliver 
the food and leave. Chao responds: “I think you can 
come in and help dole out the food and say hello. People 
here want to be able to at least see you in person. It really 
makes them feel like someone cares enough about their 
contribution to do this kind of thing so come in for at least 
30 minutes but don’t wander to where the architects and 
engineers... are because they will never let you leave.”^' 

This small anecdote sheds light on the way that Chao used Park on several occasions: to inspire 
the various teams working to get Hcalthcare.gov up and running. Park was an ambassador from 
the White House and he invariably tried to bring food. The email record is full of offers of Park 
to bring humus, cookies, cupcakes at the drop of a hat. And from all written accounts, Park is 
passionately enthusiastic and grateful for the hard work the teams were doing. 

Anyone who has led groups of people through hard tasks - any kind of campaign, for example - 
knows how important small acts of kindness and appreciation are to keeping people motivated 
and moving forward. Park played this role very, very well. 

Even at the very end, Park was trying to inspire people to great efforts to make October 1 a 
success. At 1 1:02 pm on September 30, Park sends an email to a string of top CMS and 
Verizon/Terremark, CGI recipients. Because it is so revealing of Park’s attitude and personality, 
it is worth quoting from at length. 

“Dear Laura, David, and Chris, thank you so very much for the heroic work you 
have done and are doing to support Marketplace go-live! We have one more 
favor to ask: 


“People here want to 
be able to at least see 
you in person. It 
really makes them 
feel like someone 
cares enough about 
their contribution to 
do this kind of 
thing...” 

Chao to Park bringing 150 
Georgetown cupcakes to lift 
morale at the Herndon site on 
September 29, 2013 


^'Exhibit 15. 


20 




216 


I understand from Henry that a Verizon/Terremark team is working very hard to 
activate all the new hardware that’s arrived at Culpeper. 

Every new VM, every ounce of additional power adds materially to the 
probability of a successful go-live tomorrow morning. 

If there is any possible way that you could 2x, 3x, 4x progress by having teams 
work in parallel tonight, that would be absolutely amazing. 

Possible? 

This is a historic moment, and the team is so very close to pulling off a feat for 
the ages is there any way to amp things up even further? 

We would be massively, massively appreciative please contact Henry with 
qucstions/thoughts!”"" 

Here Park is playing his role as an inspirational voice asking for the last, best effort from those 
on the front line, without undermining CMS’s authority. In the end, there was only so much 
exhortation could do to bring the new servers on-line, and it is highly unlikely that insufficient 
hardware was the sole issue that contributed to the problems on October 1. The problems on 
October 1 are precisely what led Park to be pushed out of his roles as aggregator, advisor, 
supporter and spokesman — roles appropriate to the months leading up to launch — to join a 
small team working to get down into the guts of the web site to analyze what was wrong and 
how to make it right. In that, they succeeded, but that success is not of much interest to the 
Committee. 


CONCLUSION 

Looking at the record: Park was not to give contractors direction, was not welcome at the 
readiness reviews, was not able to get a hands-on walkthrough of the web experience, was turned 
away on offers to help with technical problems. Time and again he is pushed by senior CMS 
officials back out of technical discussions or too much on-site time and back to his 80,000 foot 
orbit. He appears to take these nudges with grace. 

The thousands of pages of records simply do not sustain a claim that Mr. Park had “substantial 
involvement with the development of the website’s privacy and security standards” or was 
“intimately involved with the development of the Healthcare.gov website” as the Majority Staff 
Report framed their allegations. To believe these allegations you have to ignore all the examples 
offered in this report of what Park was not allowed to do by CMS, To believe these allegations 
you have to distort the record into unrecognizable form. To believe these things requires that a 
person know’ absolutely nothing about how multi-billion dollar Federal software acquisitions are 
managed. None of the normal signs of substantial or intimate involvement in that 
management — communications around requirements, critical path progress and key technical 
issues, changes to scope, work orders, spend rates — can be found in the records involving Park. 
The anecdote about his conversation with Ideo. and the pushback he got from Chao, is as close 
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as the record comes to showing Park interacting on program details with a contractor, and in that 
case Park is schooled on staying in his lane. 

In an interview with the staff of the Committee on Oversight and Government Reform, Henry 
Chao was asked about Park’s involvement in development of the website: 

“Counsel: ... he [Park] wasn’t involved in the day-to-day management of the 
Federal marketplace. Is that correct? The IT? 

Chao: Correct. Not managing it. 1 think he was, of course, you know, part of the 
overall what I would consider the senior leadership, the technical leadership 
anyway, for the Federal Government, of which there’s a natural alignment that 
needs to occur between all technical kind of issues, because of his role. 

But he didn’t own anything, meaning, you know, he didn’t have the 
budgets, the staff, the contractors. So the day-to-day management really still falls 
to the operating agencies that are kind of trying to implement the program. He 
served as —advises on issues, helps you air certain cross-cutting issues, create, I 
believe I mentioned this, a forum to discuss and collaborate on cross-cutting 
issues... Interagency. Or even interdepartmental in some cases. So, you now, 
he’s best suited, you know, to kind of do that role because of his position. 

Counsel: So he would check in and have conversations to see what was going on, 
but he wasn’t necessarily, how do you put it, like on the ground looking at — 
looking at code, looking at — 

Chao: No, He — yeah. He doesn’t provide direction... He’s not, you know, 
officially in the chain of command, you know, because 1 take my direction from 
Marilyn Tavenner and the center director of CCIIO, and the chief information 
officer and the chief operating officer of the agency 

Todd Park did do a lot of work related to Healthcare.gov. The record makes abundantly clear 
what Park’s role in Flealthcare.gov was prior to October 1 , 20 1 3. He was the chief support for 
CMS needs within the White House, and was the chief representative for the White House when 
Chao was looking for a cheerleader to come inspire the teams. He was an asset with the private 
sector both in outreach on ACA, but also when Chao was looking for access to top contractors 
who could help his program or when there was a need for external validators. The vast majority 
of email communications between Park and CMS, most frequently Henry Chao and Michelle 
Snyder, are requests for information driven by Park’s own need to provide information to his 
leadership within the White House or to be prepared to interact with the press or public as a 
spokesman for the White House. In all of these roles. Park excelled. On balance, the records 

Transcript of Interview of Henry Chao by staff of the Committee on Oversight and 
Government Reform, July 22, 2014, starting on p. 78. 
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show Park to have been endlessly energetic, enthusiastic, creative, and optimistic. But on 
technical questions related to the development of the website prior to October 1, we are 
convinced that “knowledgeable outsider” is an accurate description. 

Mr. Park has already enjoyed a successful career as an IT entrepreneur and job creator. He gave 
that up for a few years to come to Washington to improve the performance of the government in 
delivering services to the American people and to try to improve our country by pushing 
innovation to address social needs and economic opportunities. Based on the thousands of pages 
of records and his prior testimony, he did nothing wrong at any stage of his relatively short 
public career. We can find no basis for alleging that he misrepresented himself before the House 
Committee on Oversight and Government Reform, and absolutely no evidence that he had a 
substantial role in cybersccurity development. That should also dispose of the allegation offered 
in the Majority’s staff report that Dr. Holdren misled the Committee in his communications 
about Mr. Park’s involvement in developing cybersecurity standards and tools for 
Healthcarc.gov. As to Dr. Holdren himself, there is absolutely no indication in the White House 
records that he had any role in Healthcare.gov. So far as we could determine. Dr. Holdren is on 
none of the email chains involving Park and CMS. The bottom line is that the records in our 
possession appear to exonerate both Mr. Park and Dr. Holdren of the allegations made against 
them in the Majority staff report. 
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From: 

Sent: 

To; 

Cxr, 

Subject: 

Attadiments 


Chao, Henry (CMS/OI5J <| 

Saturday, Ju^ 20i3 5:44 PM 
Park,Todd i 

Snyder, MichEHe {CMS/OA) 

Testing information' 

testing ^ummarytoHa^ry 07 12 2013.d£xx 


Importance: 


High 


Attached is the requested fnformatton you asked for on testing. 
Let me know ff you need anydiing else. 

Thanks 
Henry Chao 

Deputy Cl 0 & Deputy Director, 

Office cf Information Services 
Centers for M^icare &. Medicaid Services 
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CMS is testing with each business partner of the Federally Facilitated Marketplace (FFM): ( 1) issuers; (2) 
States; and (3) Federal Agencies. The tests are designed to ensure that each partner can connect to the 
FFM IT systems and exchange data properly tbsup^rt the actions a consumer takes to enroll in a 
Qualified Health Plan (QHPj on the FFM or to be transferred to a State for Medicaid/CHiP Enrollment; 

• Issuer testing validates that issuers and the FFM can orchestrate the enrollment of consumers 
into plans on the FFM; 

• State testing validates that States and the FFM can transfer consumers between the FFM and 
States depending on eligibility for the Health Insurance Marketplace or Medicaid/CHIP. 

• Federal Agency testing validates that the FFM, through the Da ta Services Hub (DSH) can 
exchange the data required for eligibility determinations. 

General Testing Approach 

• CMS has developed a test plan, schedule, and data for each set of external partner s. The test 
data is designed to test the critical business rul es for eligibility determination. 

• To prepare for Federal Agency Testing, CMS developed and utilized a Test Harness to simulate 
responses from the Federal Agencies. This approach allowed CMS to detect and correct 
software issues in the FFM prior to testing with other Agencies. 

• All external partners will begin End to End testing in Mid -August with planned end date of 
August 31 


STATE 

• States have been involved in "Wave” Tesb'ng since March of 2013. The Wave concept onboards 
States over 4 successive periods based upon their readiness, The testing objective is to v erify the 
interoperability of State system functionality, hardware and software, and business logic with 
the Federal Data Services Hub (FDSH). Testing includes scenarios designed for successful 
responses as well as unsuccessful but valid responses. 

• High level State testing milestones: 

o October 2012; States began informal testing 
o March 2013 August 2013: Formal "Wave Testing" 

o Mid-July: Start Account Transfer testing between State Medicaid & CHIP Agencies and 
the Federal Marketplace 

o Mid-July: All States will begi n regression testing 
o Mid-August to August 31: AH partner End to End testing 

• Composition of State testing; 

o Total States Testing with Hub: 46 states (two more States are expected to join testing 
next week) 

o The 46 States break down into 

• 15 State Based Marketplaces, 

• 13 State Partner Marketplaces, and 

• 18 Federally Facilitated Marketplaces. 
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• Results: 

o Testing progress varies by state, depending on the readiness of the state system. Some 
states have successfully completed testing on multiple services, while other states are 
just getting started. 

• Activities for 10/1/13 

o Complete onboardlng and testing of the remaining States 
o Complete Operational Readiness Review (ORR) 

o Receive State tailoring of FFM M odified Adjusted Gross Income (MAGI) rules to support 
Medicaid eligibility determinations. 

o Determination and approval of advance Cost Sharing Reductions (CSR) estimate 
required by September 2013 

o Processing oftransactlonalenrollmentfiles {834s) from State Based Marketplaces (SBM) 
required by October 2013 

• Risks for Day 10/1/13 

o SBMsareresponsibieforthereadinessofthelrStateMarketplaceandCMScanncit 
support late conversions to the FFM 

0 integrated Medicaid & CHIP eligibility systems may need to utilize FFM if their MAGI 
eligibility determination functionality is not ready 

• Activities for 1/1/14 

0 States that did not meet Account Transfer readiness by 10/1 will be tested 
0 Data exchanges between QvIS and SBMs for Federally-administered functions 

■ Enrollment reconciliation with SBMs, including Advanced Premium Tax Credit 
(APTC) and CSR amounts required by December 2013 

• Risks for 1/1/14 

■ States that do not complete their Account Transfer functionality will need to 
utilize alternate methods for transferring individuals 

FEDERAL 

• High (eve! Federal testing milestones: 

o October 2012: Testing with IRS started 

o Current: CMS is testing with Medicare, IRS, SSA, DH5, Peace Corps and 0PM 
o 8/15: Federal Agencies will begin participation in End to End testing on 8/15 

• Activities for Day I 

o Initiate (and complete) testing with VHA & TRl CARE 
o Onboard Federal Agencies into Production environment 

• Risks for Day 1 

o VHA & TRICARE not ready for Day 1 affecting Minimal Essential Coverage checks 
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ISSUERS 

Eligibility & Enrollment 

• CMS worked with Issuers to definetestscenarios with the emphasis on the ability to perform 
Qualified Health Plan (QHPj enrollments. Issuer CIHP Enrollment Integration Testing consists of 
FFM-lnitiated Enrollment transaction testing as well as optional Issuer Direct Enrollment 
processing via web services 

• High level Issuer testing milestones: 

o June 2013: Testing with Issuers began 

o FFM-lnitiated EnrollmentTesting 

• Week of 7/15: Engage the first wave of 7 Issuers for functional FFM-lnitiated 
EnrollmentTesting 

■ Early August: Engage the second wave of Issuers with approximately 125 
participants. 

■ Mid-August; Additional testing waves will be conducted every two weeks for 
FFM-lnitiated Enrollment testing leading up to the October 1st go -live for Open 
Enrollment. 

o Direct Enrollment Integration Testing 

■ Week of 7/22: Direct EnrollmentTesting staitsforal! interested Issuers, and will 
be ongoing throughout the months of August and September. 

• Results 

a To date, CMS.has received 140 approved Issuer Onboarding Forms, covering 600 QHPs. 
o Thus far, CMS has received 80 applications from Issuers wishing to participate in Direct 
Enrollment. 

o Hub Partner IDs have been created for 33 Issuers; CMS is awaiting response from the 
remaining 47 Issuers that have applied. 

o 15 Issuers have demonstrated the ability to connect to Hub services to perform Direct 
Enrollment. 

• Activities for Day 1 

o Onboard all Issuers with Marketplace QHP 

o Complete planned Direct Enrollments and FFM -Initiated Enrollment testing with every 
Issuer 

• Risks for Day 1 

o Issuers not ready for Day 1 affecting Marketplace QHP enrollments 

• Activities for 1/1/14 

o After Enrollment Integration Testing, CMS will continue to test new functionality with 
Issuers, such as Enrollment Reconciliation and EDI Payment Remittance, which are 
required by January 1, 2014. 

o First payment due to Issuers required by January 2014 

a Commence issuer edge server processing for claims/enrollee data required by January 
2014 


OSTP ACA 0007065 



223 


From: 

Chao, Henry (CMS/QIS) 

Sent 

Saturday, July 13. 2013 UM)5 f>M 

To: 

Park, Todd 

Cc 

Snyder, Michelle (CMS/OAi Bowen, Marianne (CMS/OA) 

Subject:. 

Re;; Testing Infonration 


Todd Couts sent me the descriptions of the rsadiness rewews and we were diecHng with Marianne to. see if she had ariythlrig 
to add, but here it Is without Marianne’s additions. 

CMS is performing a series of IT Readiness Reviews designed to ensure that the federally Fadlitated 
Marketplace (FFM) IT systems are prepared to support Open Enrollment on October 1 and the beginning of 
payments In January 2014. The Reviews Indude all relevant contractor arid Federal teams. To ensure 
that the Reviews cover the multiple aspects of IT readiness, we. have organized the reviews Into several 
components. 

1. A functional walkthrough that focuses on the IT capabilities required to support th e actions that 
a consumer will take to enroll through the Health Insurance Markelqjlace. These Reviews will 
Inspect the rr capabilities required to facilitate two primary activities: (1) enrblllng a consumer into 
a Qualified Health Rian (QHP) on the FFM or (2) transferring a consumer to a State Medicaid 
Agency for Medicald/CHtP enrollment IT capabilities include HealtHcare.gby website functionality, 
diglblUty deteiminations based on Federal data sources (transmitted via the DStS Services Hub), 
etc. 

2. The IT processes and infrastructure reviews will examine the following’ four eleime'hts of the FFM 
rr systems : 

• Security - The IT security review will ^sure that the systems include the proper Fec^efal 
security and privacy controls to protect sensitive data (e.g, FISMA/ HIPAA/^eta);' 

* Operations •• The ITbperations review wiji verify that the necessary humari.and technical 
resources will be prepared to run the systems on a dally basis. We vyill.ihclyde a.revlew.pf 
the help desk operations required tt) provide effective and efnclent cusbmer serylca for 
consumers and other business, partners ; 

• rnftastT-ucture "The infra^njrturB portion of the review will focus on the hardware,, 
software, and network capacity ofthe FFM IT systems. The goal of the inftastr.udiure revi e\v 
is to ensure the avaiiabiti^ and performance of Ihe systems; a.n d 

* Tactical beoiovment - Finally, we win, review the plan fbr the "go -live" event. This review 
will walkthrough, the checklists and tasks to"bjm on^ the system, tp make it available to the 
public and finalize the connections to Federal and State partners . 

3. The external partner review will fboJs on the interaction vrith the FFM's business partners; i.e. 
Issuers, States, and Federal Agencies. We will assess the status of agreement with each partner, 
the readiness of each external partner to engage In IT Interactions with the Marketplace, and the 
plan for coordinated business and IT operations . 

Each review indudes a detailed assessment of status and remits In an actionable follow up plan to address 
risks and focus ourlmplementaticn efforts and resources. 

Henry Chao 

Deputy QO & Deputy Director, 

Office of Information Services 
Center? for Medicare & Medicaid Services 
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From: Todd Park < 

Date: Sun, 14 Juf ‘^013 01.63^1' 40p0ff: 
To:HEhRYCHAO< 

Cc: Michelle Sn>der < 

Subject: Re: Teeing jhformab'QO 


Henry, thanks so much, will read this tonightl i thinkyoi were afeo going to send the 9 questions + a couple of bullets 
describing (at a high levd) the readiness review process? 

Thanksl Will send you and Michelle a draft documenttomorrow, 


Cheers, 

Todd 


From: Chao, Henry (CM^OIS) f maite 
Sent: Saturday, July 13, 2013 03:44 FM 
To: Park,. Todd 

Cc: Snyder, MIcheSe {CMS/OA) <| 
T^’ng informaSon 


Attached is the requested information you asked for on testing. 
Let me kmw rfybu need anything else. 

Thanks 


Henry Chao, 

Deputy CIO a Deputy Doctor,, 

Oiffice of Iftformation Ser^ces ■ 

Cent&s for Medicare & MedicardSeryices 
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From: 

Sent 

To: 

Subject 

Attachments; 


Chao, Henry (CMS/DIS) 

Monday, July 15, 20ia 2:12 PM 
Snyder, Mkhelle (CMS/OA); Paric; Todd 
RE: Draft write-up 

DRAFT summary wnte-up Henry Changes-dooc 


Importance; 


High 


Here’ are my changes 


HerxryChao. 

Deputy DO St Deputy Director, 

Office of Information Services 
Centers for Medicare & Medicaid Services 


Promt Snyder,. Midieiie (CMS/OA) 

Senti Maiday; l uty.lS, 2013 1:54 .PM 

To: Todd Y Chao, Henry (CMS/OB) 

Subject Re; DraftwnfeHi^^^ 

Looks good 

Readiness reviews will continue throughout december as fundions evolve and change. Henry is figuring out frequency 
by function so defer to him 

Also - tije 9th question on SlHbP needs revisited given recent decisians,,We left ft on asa pjac^olden For your 
backpocket the ,9 questions niap to over 90 plus data sources and items. Also - the front end guys -trafrring and 
consumer assistance Is underway and will be eventua liy subsumed into a management infomiationdashbo^d 

MIchells 

Sent from my BfackSerry wireless Device 


From: Park, Todd [jugllteJBBHHliBBBHBHBi 
Sent:,MQnday, July 15, 2013 12:02 PM 
To: ChaOy Herry (CMS/OK); Snyder, MIchefle (CMS/OA)‘ 
Subject: Draft wr^a-up 


Hi Henry and Michelle, here's the draftwrite-upfbrthe 4:30 rnecting this afternoon am keeping it high-level, as you'H 
see.... Any and all edits would be greatly appreciated! Henry, fl! connect with you at 2:15 pm, thanks i 
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DRAFT, PRE-DECISIONAL, AND CONFIDENTIAL 
MARKETPLACE IT CHECK-IN SUMMARY 


• FFM and Hub IT is on track to be up and runningfor October 1 go -live 

- Need to continue to hold the line with respect to lockdown of business requirements and 
enforcing that no changes can be made without extreme risk to schedule and delivery by 
October 1 and January 1. 

- Readiness reviews [by Functional areas like Eligibility & Enrollment and Operational areas such 
as Connectivity & Testing) are being executed nearly every week from now through October 1 
arid January' 1. will enable identification and resolution of issues based on comprehensive 
walk-throughs 

~ Testing of data flows between Hub and the Federal Agencies (IRS, SSA, DHS, VA, 0PM, 

CMS/Medicare, Peace Corps) is far along.. Testing is in mid-process with States, and in the early 
stages with Issuers. 

o Need for CMS tech/ops leads to interact with issuer tech/ops leads on a free flowing, 
on-demand basis to ensure flexibility and responsiveness in focusing on results 
o End-to-end testing with all partners planned for August 15 to 31 ' 

- Post October 1, development and testing work will continue at high-intensity on additional FFM 
modules required to support financial management/plan payment to support the beginning of 
payments to issuers in Jan 2014 

• As with any large-scale new program launch, there will be glitches and issues on and after go-live. 
CMS has stood up and is in the process of operationalizing a Marketplace Operations Center that 
will monitor Marketplace operations and systems and lead rapid -responses to issues as they an'se. It 
will be important to ensure that the Center is fully staffed with both dedicated technical and 
business staff. 

o As with any new operations at this scale the issues need time for analysis before 
executing fixes and alternate processes DO NOT PANIC! 

• It will be critical to tightly manage the flow and approval of Q.HP data over the next two months 

- State DOI approval of plans and all data to CMS forvalidation : 7/31 

- Beginning 8/1: Issuers review plans via Plan Compare view 
~ CMS does final OA of plans 

- 9/7: Plans are certified and scheduled to be displayed 

• State-Based Marketplaces 

- Important to stick with "pivot” decision -making deadline and clearly communicate to SBMs that 
they are accountable for bringing their marketplaces live. (FFM will not be able to backfill for 
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them at the last second). There's no room in the schedule or resources to shift if any part of the 
"pivot" decision gets reworked^ modified, amended, changed, even on a small scale like v^ebsite 
changes 

— Consumer experience will vary from SBM to SBM based on their individual design decisions and 
execution completely intended to be in the states' domain 

• CMS is propping the systems capabilities to answer 9 essential FFM questions post-go-live: 

— How many consumer applications? 

-- How many consumer eligibility determinations? 

— How many consumer enrollments into QHPs? 

— How much are consumer premiums? 

— How many consumers are receiving financial assistance? 

— How many consumer health plan choices? 

— How are consumers using assistance channels? 

-- How are CMS Marketplace operations performing? 

— How many employers and employees are served bySHOP? 
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From: 

Sent 

To: 

Subject: 


Chao, Henry (CMS/CSg <| 
Monday7;uJy 15.2013 4:2S-PM- 
Park, Todd; Snyder. Mlch^ie (CMS/OA) 
RE: Draft wrfta-up 


Importance: 


High 


Just caught an Important distinction to be made^ 

9/7: Plans are certified and scheduled to be displayed 
i think the "displayed" is Interna! cross checking and rKDt constmier facmg. Consumer feeing is 10/1. 


Henry Chao 

Deputy ao & Deputy Director, 

Office of information Services 
C^terS;for Medicare & Medicaid Services 



Sent Mc^day, July 15. 2013 4:25 PM 

To: Qao, f^ry (^IS/OK); Sn^er. Michelle (CMS/OA) 

aibjeA* Dr^wiiteHip 

Rnat verstonfor the 4:30 attached please keep very close hold. J am bringing hard copies only to the4:30 
meeting. Th^ksl. 


Ffom:0)ao, ,Hehry (CMS/OIS) r maiH:o: | 
Sent Monday^ WIS, 2013 2:12 PM 
To:' Snyder; Michelle (CMS/OA); ParK, Todd 
Subje^ Draft write-up 
Imporitence: 


Here- are my changes 


Henry Chao 

Deputy C1D& Deputy Director, 

Office of Information Senricss 
CentersforMedicare & Medicaid Services 



From; Snyder, Mldidle (CMS/OA) 
Sent; Mwiday, July 15, 2013 1:54 PM 
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From: 

Sent 
To: 

Cc; 

Subject: 

We are in a hearing tomarrow and wifl not be able to comment unQl the afternoon at the earliest 

We need to talk abt attendance at readiness reviews, i am sure you can antidpate my position on that 
Flys on the w'alj are seldom invisible and often distract «ng!!l} 

Michelle 

Sent from my BiackSerry Wireless Oe^'ice 


Snyder, Michelle (CMSi/OA) '^j^^SBSSSSSSSSEf’ 

Tuesday, July 16, 2013 553 PM 

Park; Todd;TavGnner, Marilyn ^CMS/O A); Khali d, Aiyana C (CMS/OA);Chao, Henry 
(CMS/OIS) 

Graubard, Vivian 
Re: Two quick filings 


From: Psri^ Todd 

Sent; Tu^ay^TuIy 16^ 2013 051^54 PM 

To: Tavenner,.Mari^ (CMS/QA); KhaSd, Aryana C (GM^ QA); Snyder, Micheiie (Q4S/OA); Chaoj Henry (CMS/OIS) 
Cc: Graubard, Vivian 
Subject: Two quick things 


HI Marilyn, Aryana, Michelle, and Henry! Two quidc items: 


1. I vylil be working on and sending you draft slides they will basically 

be a PowerpoinMzed version of the Word documentwerw^ea^ryouSulagetme any cornments by noon 
tomorrow, that would be terrific would like at that point to send the slides to Mark/ieahne for their review 


2, I am very much looking forward to, being a fly on the wall at the £&£ readiness reviawon the IB- * Hi be able to 
attend from ll am to 4 pm. (a) Is this stlll.happening ori the 19*? (b) Will ^is include a walkthrough of the FFM 
web workflow, including Plan Compare? The reason I ask is fiiat David Simas Is. very interested In being a fty on 
the wall for a walkthrough of the FFM web workflow, and ^so would love to soak uh a sense of the underlying 
complexity of the overall Mttplace machine, if the 19* wiii includ e a. walkthrough of the FFM w^ workffo W, 
then wanted to ask if Davicf could come with me (for some or all of the time}, ho wouid really appreciate the 
opportunity, and/but also doesn't want to disrupt things in any (FYl, I've briefed him In detail about the 

fact that we've locked down business requirements and are in pure operational execution mode for Oct 1/Jan 
Ik Thoughts? 


Thank you! 
Todd 
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To: Todd Y ParkHBBBB; Chao, Hen:y (CM^OIS) 

Subject: Re: Draft write-up 

Looks good 

Readings reviews wiil continue throughout deceniheras liincti(?ns evolve and diange, Henry is figuring out frequency 
■fay function so defer to him 

Also - the 9th question on SHOP needs revisited given recentdedsfons-Weteftiton as a placeholder. For you r 
backpocket the 9 questions map to over 90 plus data spurcas and Items, Also - th e front end guys - training and 
ronsumer assistance Is underway and will fae eventually sub$un«d into a management Information dashboard 

Michelle 

Sent from my BlackSerry Wir^ess Device 


From: f^rk^ Todd [maixi| 

Sent: Monday^ July 15^ 2013 12:02 PM 
To: Chao, Herey (CMS/OIS); Snyder, Michelle (CMS/OA) 
Subject: Draft Vt'rfte-up 


Hi Henry and Michelle, tiere'sthedraft v/rite-upfor the 4:30 meeting this afternoon am keeping ft hlgh-fevei, as you'll 
see.... Any and all edits would be graatfy appreciated} Heniy, 111 connect with you at 2:15 pm, thanks! 
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Sufc^ect: 

Attachments 


Park, Todd 

Wednesday, July 17, 2013 12:33 
' Mid^eiieSnvder BBSBMMi^ ^'Marij^.Ta\.fenrier | 
’Aryana.Khalidg^^^^^; 'henryu^ao flHHB 
Graubard, Vivian 
RE: Tvra quick ^ings 
IT slide vLpptx 


HI teaftJi draft slide enclosed (hews dosely to the Word document) any edits fay 4 pm tomorrDW (Wednesday) would 
be hugely appredated, thatiks! . 
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Sent fl'pm my BlackBerry Wirefess Device 


From: Parl^ Todd [mailto| 

Sent Tuesday, JuV 16, 2013 0S:44 PM, 

To: Tavoiner, Marilyn (CM^OA);- gall'd, AryanaC {CMS/OA);Snyda-,, Michelie (O^iS/OA);^ Oiao, Henry (CMS/OIS) 
Cc:Graubard,Vivten.<: i 
Sufcaect: Two quick tilings: 


Hi Marilyn, Aryans, Michelle, and Henryl Two quick items: 


1. i Wii! be working on and sending you draft slides they >>vlU basically 

be a Powerpoint-lzed version of the Word cfoajmentwe reviewed. If you could get me any comments by noon 
tomorrow, that would be terrific would like at that point to send the slides to Mark/Jeanne for the Ir review 


2- lam very much looking forward to being a fly on liiew^ at the E&E readiness review on the 19 * Til be able to 
attend from 11 am to 4 pm. (a) is this still happening on the IS***? (b) Will this Include a walktitrough oftheFFM 
web workflow, including Plan Compare? The reason 1 ask Is that Oasrid Sinps is very Interested in being a fly on 
the wall for a v.'alkthrough ofthe FFM web workflow, and also would }o,ve.tp soak up a sense of the underlying 
complexity of the overall Mktplace machine- if the 19^ will indude a walkthrough of the FFM Web woikflo w, 
then wanted to askif Cavid could come withme (forsomeorall of the time) he would really appreciate the 
opportunity, and/but also doesn't want to disrupt things in any way—.:. (FYl, I've briefed. him in det^ about, the 
fact that we've locked down business requirements and are in pure operational ejeoition mode for Oct l/Jan 
ij. Thoughts? 


Thank you! 
Todd 
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Marketplace IT Status Summary 

Federally Facilitated Marketplace and Data Hub IT are on track to be up and 
running for October 1 go-live 

- Need to continue to hold the line with respect to lockdown of business requirements 

- Readiness reviews by functional area are being executed nearly every week from now 
through Oct 1 and Jan 1, enabling identification and resolution of issues 

- Testing of data flows among Federal agencies is far along, is in mid -process with States, 
and is in the early stages with Issuers. End-to-end testing with all partners is planned 
for Aug 15-31 

- Post Oct 1, development and testing work will continue at high intensity on additional 
FFM modules required to support financial mgmt/plan payment beginning Jan 2014 

As with any large-scale new program launch, there will be a stream of issues on 

and after go-live - CMS is standing up a Marketplace Operations Cen ter to 

monitor operations and systems and lead rapid response to issues as they arise 

Will be critical to tightly manage the flow and approval of Qualified Health Plan 
data over the next two months - i.e., State Department of Insurance approval of 
plans (7/31), Issuer review of their plans via FFM Plan Compare view (beginning 
8/1), CMS review, final certification of plans for display (9/7) 

State-Based Marketplaces - need SBMs to understand unequivocally that they 
are accountable for bringing live Marketplaces in their states by Oct 1 (FFM 
cannot backfill at the last second) i 
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From: 

Snyder, MIchefiefCMSTDA) 

Sent 

Wednesday, July 17, 2013 5^)5 PM 

To: 

Park Todd; Tavehner, Maj^n(CW5/OA); Khalid, Ajyana C (CMS/OA); Chao, Henry 
(CMS/ois): 

Cc 

Graubard, Vivian 

Subject: 

Re Two quick things 


Sony, Just got off the hil!. Slide looks fine. No edits. 

Tnsnks 

Michelle 


Sent from my BlackBerry WIrdess Device 


Fixim: Park, Todd fmalkol 

Sent Wednesday, 3u!y 17/2013 12:33 AM 
To: Snyder, Mkd^elle {GMS/OA);Tavenner, Marilyn CCMS/OA); KhaBd, Aryaha G. (CMS/OA)* Chao, Henry fGMS/OIS^ 
Cc: Grauberd, yi^’an < i 
Sutig«s: RE: Two cjuick things 


HI team, draft slide endosed (hews dosaly to the Word doc ument) any edits by 4 pm, tomorrow (Wednesday) would 
be hugely appreciated, thanksl 


From;. Rark^. Todd 

^nt: Tuesday JOy i6r.2013.:7:iQ PM 
To; 'Manlyti.Tayennar. | 

Ce:(^u£ard,\^art , 

Siibject Rfi: Two qufck tilings. 


[, '-frysna.Khalld j 


OK, no problern.~it tooks like.! onlyneed to puttbgether one did&, and it v/lll adhere tightly to apcT simply surhmarite ' 
dieppintsln thfiWord doc. Wfli send the slide to you tonight -if you could send me any edits by . 4 pm. ^rnoiTOW, .that 
would be great; draft' Slides are being drculated to Deputies for comment at 5 pm. (It Will fake you 5 m!n to read the 
slide) 

Andi/David won't come to the readiness reviews - don't want to dlstraiil or disrupt; which upon reffectidn 1 suspect 
would happen even if we didn't say a single thing. 

(Will follow up later about a possible fboised briefing session for David and me in Baltimore that happens at the 
appropnate mom ent) 

May the Force be wfth you in the hearing tomorrow, 

Tcwld 


i 
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From: Allen, -lessica 

Sent: Monday, July 08/ 2013 06:01 PM 

To: DL-WHO-Press 

Subject: NYT; 10 Questions for Obama's Chief Technology Officer 

http:/Ahecaucus, blogs, nvtimcs.c:omy2013/07/Oa/lQ-ouestions-for-obam3s-ch-ef-t&cbnologv-offic e r/?src=twr 
July 8, 2013, 5:48 pm 

10 Questions for Obama's Chief Technology Officer 

By JOHN HARWOOD 

VIDEO 

Todd Park, a former Silicon Valley entrepreneur, serves as President Obama's chief technology officer. His role has taken 
on heightened importance after several recent developments, including the.implemerrtation of the new health care law, 
efforts to reduce the backlog in Department of Veterans Affairs claims processing, and privacy issues raised by . 
disclosures about data collection by the National Security Agency. Mr. Park spoke with John Harwood of The Times and 
CNBC at the White House as Mr. Obama publicly challenged his administration to improve the government's innovation 
and efficiency in hi-s second term. 

What follows Is a condensed, edited account of their conversation. 

Q. 

Government has a reputation for being clunky, slow, inefficient What do you think you have been able to accomplish? 

A. 

There are phenomenal people harnessingthepoweroftech and in novation to help government work better, cost less 
and help grow the economy. For example, in the recent Hurricane Sandy and Oklahoma tornado response, FEMA has 
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harnessed tech in a!i kinds of ways to deliver better results. To get housing to folks, you use d to rely exclusively on the 
ground inspectors, now we can use satellite andanalyticstofigureoirt what areas need help and get help faster. In 
addition, a majority of folks who registered for disaster aid post -Sandy were able to do so via mobile phone o r Internet. 
Even when folks didnT have access, FEMA inspectorscame back with iPads to actually register them for aid. 

Another example: i was recently traveling with the president to Austin, where he launched a new executive order that 
opens up tons of government data everything from health and medicine and science to safety and more as 

machine-readable, free fuel for entrepreneurs to tap to create new companies and jobs. The president's attitude is, this 
is America's data. All kindsof entrepreneurs a re picking up that data to help grow the economy. 

a 

Possibly the biggest thing the government has going right now is trying to implement the health care law. The 
administration announced a delay in the employer mandate; they couldn't get it done intime. Whatdoes thattellyou 
about the limits of technology in making it work more rapidly and efficiently? 

A. 

The president is really focused on Implementing the law very well. Business expressed concern that there are. issues to 
be w'orked through, so it was a sensible thing to do to say, "O.K., let's work through those issues." Oct. 1, we'll be 
bringing live the new health marketplaces. Things are on track to makethat happen. There is a whole team at the U.S. 
Department of Health and Human Services working inc rediblyhard, night and day, on bringing out these new health 
marketplaces. We have actually done a huge amount of user testing on ft to make sure the Web site is as user -friendly as 
possible. The prototypes are incredibly impressive. 

Q- , 

No doubt they’ll be up and running in October? 

A. 

They'll be up and running Oct, 1. 

Q. 

Let me -ask you about the culture of Washington. It has a reputation as being the opposite of the Silicon Valley culture in 
terms of agility and decision-making, flexibility, innovation. W hat have you found? 


A; 

I have actually found a lot more similarities than you might expect. Whenever the president gives us a mission to 
harness tech innovation and get somethlngdonefor the American people, in terms of growing the economy and 
Improving health care, we go find the folks across government who have been dreamlngabout that fora really long 
time. They're out there, they're incredibly talented innovators. We team them together into what we call a virtual start - 
up that's running inside the government, to move Silico n Valley speed to get stuff done. When you have the air cover 
like President Obama, who is deeply passionate about harnessinginnovation and tech, it is possible for these focused 
teams to get a lot done in a short period of time. It's hard to actually bui id anything new, but it turns out if you apply a 
lot of the same techniques that make Silicon Valley companies successful to internally change parts of the government, 
they definitely work. 

Q- 

Talk about how those virtual start-ups work, and how many are there? 
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a: ' ■ ' . ‘ 

The wa\/ they operate !S modeled on a philosophy called "lean start-up, " which was popularized recently by Eric Ries. You 
want to build small, interdisciplinary, agile teams t hat havestrategy, policy, ops and tech all represented in one team, all 
working to solve one problem. Secondly, there's an emphasis on rapid prototype. You don't think aircraft carrier, you ' ' 
think rowboat . the smallest possiblethingican delivertomy a ctual customer as early as possible, so they can actually 
start getting their engagement; The third principle is rapid iteration iterate that product at high speeds with versions 
released every few days or every few weeks, instead of every few months or years, so you maximize the learning. So 
from the ground up, you eventually gat to a real understanding of what the customsrwsnted and howto create 
something that delivers that. So that’s the model that we’ve been adopting. 

There are about 15 or so that I personally oversee. Butthis isactually a model that's been cloned across the 
government. The key is that we have an idea, we find the three or five people initially that had the idea a long time ago 
or had a similar idea across the government, putthem together in this lean start-up team, liberate them to actually 
operate, give them the aircoverageto doso,and they rock'n’ rollfromthere. ■- 

Q. ■ , , - , - , ' 

One of the mnovations the president is going to talk about Is .something called Blue Button at the Department of 
Veterans Affeirs to help people get their medical records quickly. The department has gotten a reputation for the very 
slow process of handling disability ciaims, and it has gotten mocked for stacks of pape r records. So.why shouldn’t the 
■avera’ge“person say, "Great/ Blue Button is fantastic, -b'tit' you bave'such' a'bigg^ problem than that and ybii' aren't 
making much headway?" -■ 

A. 

The backlog issue, as you know, is one thattheadministratioh inherited. The adminis tration, on top of that, passed a 
whole set of rules that expand eligibility and increase the number of claims. There is an unprecedented, 
govemmentwide effort that is pretty amazing to take that problem out, to take the whole backlog problem put to 
apply technology and process change. We’re actually beginning to see the progress of the backlog be^nning to come 
down at a growing clip, and we think we’re going to be able' to meet our goals there. The president has made it super 
clear that this is a top, major priority. There's a huge team, a cross -agency team, a cross-govemmentteam that’s 
actually working vary hard at this complex problem and taWng it out. 

0 - 

You did consulting far Booz Alien Hamilton, the firm that employed the National Security Agency, leaker Edward J. 
Snowden. What is your concern in regard to privacy with government technology and the centralization of information? 

a: 

lt'.s incredibly important to protect persona! privacy, and it’s somethingthat the administration has been championing . . 
front the very beginning, advocating for consumer privacy bill of rights and making sure we build privacy protections into 
the Affordabie Care Act and lots of different venues of activity, i think a lot has been accom;dished there. I think it's 
important to stay abreast of the continuing trends, and to make sure that we are tracking with those trends and - 
ensuring that consumer privacy is protected everywhere possible. 

Q. 

What” s a reasonable way of looking at the success of the open -data policy that the president implemented? How quickly' 
will ws see results from that? 

A. 

3 ' , . 

OSTPACA 0007002 •• 




238 


That's something actually that we've been wo'rking on since the president's first day in office, when he submitted his 
open-government memorandum. There's over 75,000 data sets on data. gov already, everything from daily hospital 
charges for different procedures across the country, to credit card complaints, account affordability, weather, climate, 
and so forth. So there's a bunch of data that's already been out there, and a bunch of data that has been downloaded 
and used by companies like Qpower. which is a start-up that uses government energy trends and weather data to help 
consumers save money on their energy bills. Corhpan iesllke iTiiage. which was started a couple of years ago from a 
couple of emergency room doctors from Denver, that used downloaded data from the Department of Health and 
Human Services to help you use on a mo bile app, based on what's wrong with you, to get the best focal doctors and 
hospitals to help you. What the executive order does is it says, going forward as a new default, all newer modernized 
government resources should be made open and machine -readable while protecting privacy and national security, 
which turbocharges the number of data sets on data.gov, and therefore turbocharges the new company creation and 
job creation that results. 

a 

Do you feel, as a Silicon Valley guy that has started companies, like a fishout of waterin Washington? ^ 

A. 

A lot of people ask me that question, a lot of my friends back home. It's been the most amazing entrepreneurial 
experience i've ever had. The opportunity you have hereto work with teams that are making changes ha ppenst scale is 
quite extraordinary. The impact you can have is mass times velocity. If you take an opportunity like this, with the scale of 
opportunity for change that it has, and combine it with the ability to do lean start -up with air cover of the president to 
make change happen rapidly, that mass times velocity equation is goingto have an impact. 

Q. ■ . 

1 thought Washington was all mass and no velocity. 

A. ■ ■ ■■ . 

It's interesting, it turns out that it can have velocity on innovation ambitions, if you have a pres ident that cares about 
that, 

Transcribed by Katherine L Kreider 
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From: 

Sent 

Td: 

Cc: 

Subject 


V/aiisce, Mary H. (CMS/DQ < 
Saturday, June 29, 2013 1033 Mt 
Park. Todd; Chao, Fteniy (CMS/^OE) 
Booth.JpnG.(CMS/OQ 
RE; Fo]iow-up 


Todd, 

Just to fpJtow up on what Henry flagged with !DEO. We caan taft pbout this more, but I, think the real concern (s to not 
have contractors trying to Interpret what they think you ort>thersfe)mHHSor the White House asked them to da Ihe 
biggest heipwDuidbeforall ofyouto carry the messagethattiiabestthinglDEOjorariy contractor) can dots what CMS 
is asking them to do. in IDEO’s case this Is Jon Booth's team givmg them direction; 

We have a lot cf contractors supporting t his' effort and we are' working hard to keep them ail on the' right track to get 
everything done in time.. 

Thanks 


RromrPark, Todd {] 

Sent: Seturday, June 29, 2013 9:26 AM 
To: Chao, Henry <CMS/OiS) 

Ca Walta(S> Mary H, (GMS/OC); Booth, Jon G. (CMS/OC) 

Sufagect;' Re: fyiow-up. 

Will work on making both of these things happen as yauVe requested and report back! 


From: Ghao, Henry (CM^OIS) Fmaflb:! 
Sait: ’Saturday, June 29, 2D 13 09:Q2 AM 
To; Par^ Todd 

Cc Waliace^ Mary H. (CMS/QC) <| 
Suhiect:'Re: Raltow-up 


Booth. Jon G. (CMSyoC) <| 


Todd, 


ixalked to Michelle and she would Ilkefor the follow -up to just be with you. 

AlsoT wanted to talk to you about a meeting you had with ideo. Apparently something was miahterprEted 'frpm whab 
you said and the top dog you met w’rth clrried back to OC (since they are -one of the contractors In Ihe mixj arid. started 
to work on an alternate rendering cfthe paperformas.if they were Insibuctedto fclloW a.difFerent set of requirements. 
This is a pretty big issue since Ideo doesnot get to change requirements and scope without it comingfrDm CfylS-directly. 
If there's anything you can 'do to help dear this up wc would greatly appreciatelt, or rather'the program would 
appreciate it since it wiil hold the line on confusion and nd:. 


Thanks, 


Henry Chaq 
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Deputy Oilef Information Qfliceirand Deputy Director 
Office of fnfofmation Services 
CeiitersforMedicare aWedicsM Services, 

•750<? Security BWd 
BaltimcST>>-MD21244 

I (Pri) 

(BBS 



from: Park^ Todd fmailto| 

Sent: Thurscfey, June 27> 2013^ 12:26 AM 
To: Oiaor Hemy (CNS /OIS) 

Cc: Graub^d, \1Wan <| 

Lynch, Laura ■' 

Subject: RE: roflow-up 


>; VanRoekd,. Stevei <| 


Hi Henry J'd love fo try Tuesday, July 9, 4 pm to 8 pm■^, Lopping Steve and Laura Steve would like to come, 
tool {Steve, this isthe Marketplace IT and testing de^ -dive we discussed)- Steve, can you make this time? 


Viv, if Steve can make ■diis time, let’s book ft. We should also Invite Bry^ Sivak and Fran k Baitman, if they would like to 
attend. I'll bring enough carrots, ginger beer, pita bread, and hummus for everybody © 


Thanks, Henry! 
Todd. 


from: Chao, Henry (CMS/OIS) f rnailto:| 
fent; Wednesday, Jims 26, 2013 1 1:16 PM " 
To: Paric, Todd 
Q:;;/&3.iibard, 

Object 'Re: fdiow-up 


TOdd, 

For planning purposes I am blocking the following dates apd;tfmcs,Let ms know whldr works for you. Thani9l- 


Mondayjuly S Spm.tO'^, feast gpm 
Tuesday July 3 4prn to at least Spnr 
Monday July- ISSpfn to at least 9pm 
Tuesday July i6.4pmto at least 8pm 


Henry Qhao 

Deputy Chief Information Officer and Deputy Dfrcctor 
Officepf In^rmatfon fervlces 
Centersfbr Medicare. SiMedicald Services 


75Cffi Security Blvd. 
Baltimore, jViD 2 1244 

(Pril 

(Wil 
(BB) , 
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Hi Mary, thank you for the flag> vvil! afasblirtely dot 


From! Wallace^ f^ry H. (CMS/OQ [itiaifco: 
Sent Saturday, June 29, 2013 10:33 AM 
To: Paries Todd- Chao^ Henry (CMS/OB) <| 
Cc: Boc^, Jon G. (CMS/OQ <| 
Sulqect:,RE: FoOow-^up 



Todd, 

just to follow up on v/hat Henry flagged with IDEO^. We can talk about this more, but f.thirrk the real concern Is to not 
have contractors trying to interpret what they thIrJc you, or others ftjiriHHS or the SVhrte House asked them to do. ■Th& 
biggest help would be for all of you to carry the message that toe besttoing IDEO (or any contrartor) can do fswhat CsMS 
isaskingthemtodo. InIDEO'scase thisisjMBooth'^steamgMngthemdlredion. 

We have a lot of contractors supporting this effort and we are ivorklng hard to keep them ali on the right track to 
everything done in time- 

Thanks 

Mary 


Fromt Park, Todd {] 

Sent; Saturday,. June- 29, 2013 9:26 AM 
To; Chao, Henry (CM^OIS) 

Cc Wallra/ Mary a (O^OGJ^Booth, Jon G; (CMS/DG) 
&bieCt Re: FoliowHip 


Will work on making both of these things happen as ypu’vteTetiuested and report hackl 


FromfChao^ Henry (CMSyoiS) [maiIto:|_ 
sent: Saturday, June 29,2013 09:07AM 
To: Park, Todd . 

Cc: V/allace, Mary HI (O^/OC) <| 
Subject: .Rei Follow -lip.- 


t*; Booth, Jon G. (CMS/OC) <| 


Tgdd, 


1 talked to Mich^e and she would like for the foWow -up to just be with you. 


Also I wanted to talk to you about a meeting yoii had with Ideo, AF^arentiy something • W'as ihisint^preted frorn what 
you said and the top dog you met wito circled bade to. pCfsince they are one of the contractors in the mix} and started 
to v.t)rk on an alternate rendering of the paperformas if they were instructed to follow a different setof requirements. 
This fsa pretty big issue since ideo does not get to charge requirements and scope without it coming, from CMS directly. 
If there’s anything you can do to help clear this up we would ijreatJyappredate it; or rather the program v/ould 
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From: 

Chao, Henry 

Sent 

Saturday June 29, 2013 4:32 PM - 

Ta: 

Park Todd; Wallace, Mary H. (CWS/OQ 

Cc: 

Boolh, JonG.{dvlVOq 

Subject 

Re; Foifow-up 


As soon as Vfvian confirms your calendarfor^e 9th (4prntp?).twas going txi send Jon and Mary the appointment. 
HenryChao 

Deputy Chiefinfonnation Officerand Deputy Director 

Office of Information Services 

Centers for Medicare & Medicaid Services 

7500 Security Bhrd 

Salpmor^MD 21244 



From: Todd 

Sent: Saturday, Jur>e 29, H)i3 04:23 PM 
To; V/ailacfi, Mary H, (CmjOQ; Chao, Henry (CMS/OIS) 
Cc: Soc4h^ Jon G. (CMS/OC) 
object: Re; Poflow-up 


H? team, just pingedTeam IDEQ (Indudingthe CEpj and said tbaltheysfiould be sure to Mow (IMS's lead, and that 
CMS Is the unambiguous ^feratlonaifeader of ad oT'ttie M^tetplace wortc in case tfiat Wasn’t deaf 


The Idea related to UX that came up in the dIscuKion iDEO's C£0 was maldngsufe that Ideas to, optlmfre language 

andUXgortherightlevei ofalrcoveronbehaff of theuscrvs.otherpolicyconsideratioRS. We{D3v'fd Simas-artd ij' 
evpressed support for theidea of ensuring there is a deaf process to make UX dedslons that are user -centric 

But what I've clarified In our follow -up ping Is that we are going to wde back with CMS on this (to understand current 
UXdecIsionmakingprocessand if any furthersupport/aircoverfpruser -centnc-ness Is neededoii an ongoing basis). 

And again, I emphasited the need foMDEO to listen to CMS for a’aUa! direction 

Henry, perhaps wa tart tpu^ base abput.the UXdedsionmakihgpfpce^. at puf deep^^^^? be wonderful to have 

Jon and M ary attend for part of that session to disi^ss the current state of the UX a nd ongoing process, if any proi^ss 
opfimizatfonsrnight be useful, they may or maynotfae relevant for Oct could be useful pps t Octl. 


Please let me know if lOEO remains at all confused about things, and many apologies rf vve created confusion I 

Semper fi, 

Todd 
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From: 

Sent 
To: 

Cc 

Subject 

MariVn is exactly right we need everyone's support ci^now and we need fdfcs talking to the advocates saying this is-a 
momentous time in our Ojuntry’s history, b/c it Is. We are stendwig up somedilng that has never been dcsne before and 
even though 'some piecesare coming online 3 fittieialw.what tSie team is drtng s iinprecedent^. Not even standing 
'up Medicare and Medicaid can compare to this. We need people out there talking to the advocatcsahd asking them to 
stand up with us and say this Is a big deai and there aremany ways for fdks to appfy: 

1. Oniine in English on day 1 

2. W^th an in-person assister on day 1 in various languages 

3. With the ca!i center on day 1 in many languages 

i know you are trying to help us and vre so appredate it What we need is folks focusing on what they can do which is 
thernessagingandtaikingto the advocates, not focuang bn the ITortryirigtocome up with creative solutions to solve 
this. ! hope this makes sense. 

Aiyana 


From: Tavenner, Marliyp (CM5^) 

Sent: Thursday, Seji^^iber 2 013 3:54 PM 

To: Todd y FaikHHBH 

Ca Snyder, Michelle ((>K/OA)j Khaiid, Aryana C (CMS^OA) 

Subject: Re: HI Marifyn 

Yes but go through Mich elle first, 1 am cc^iylng herand Aryana; Michelle i had ejqslaincd to Todd -who was-askfog ^ntly 
what thft Issues were.!, told him. band width primary so we can not get there by 10/1. Second was Implemeritatton risk,. 
Todd I n'edd follu td Understand the VERY best, way they can help us -is to readt out to the advocates -educate them and 
garner thelr energy/support. We have the same issues within MecfcaldJmeamngfoncUonalltyccmlrig up in stagesjandl 
havesent Clfii^ and Andy Schneider to work witii advocates- Thanksl M. ■ 


Khaiid, Aryana C (CMS/OA) -< | 
Thursday, September 12, 2013 A-OS PM 
Tavenner, Marilyn (CMS^A^ ParkTodd 
Snyder, Michelle (CMS/OA) 

RE; Hi Marilyn 


From; Park Todd fmatlb: 

Sent: Thursday, Septet7ibe,r 12, 2pD 03:38 PM 
To: 'Tavenner, Marilyn (CMS/OA) 

Subj^: RE; HI Marilyn 


1 know you do :) To help ■with intcrnal understanding here atriie WH (and therefora With mobilizing energy and help for 
external messag'ng!), would you mind If i got on the phone with Henry for 5 min to get a qgick download on the tech 
details'? it makes a lot, of intuitive sense that sequencing would be much safer it would h.eip If I were armed with a.bit 
mDretecH'detail.... 


From; Tavenna-, Marilyn (CMS/OA) f mailtoj 
Sent: Thursday/ Septarter 12, ?.0i3 3:30 PM 
To: Park, TocW 
Subject: Re: Hi Marilyn 
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Fi^fn: Pari^ Todd 

Sent; Thur^Vx Septemb^ 12, 2013 03:13 PM 
To: Ta^i'enner, Maritjoi (CMS/OA) 

Subject; HI MarByji 

Hi .Madlyn^h^^ealllsten-ific^hyou asweentertheh^es^g^ogi the road to Ortob gr 11 BHHHIHHI 
spirits are with you and team! 

I understand dial you and diris had a conversation about HC^ov In S p^sh in which you underlined the Importance of a 
smooth gO'live bn October 1 and ^erefore the need, to push HC^ov in Spanish to Oct 15- 

Just to emphasize^ Chris is supportive of ^xJr position, and did not askmeto ping youl 

Macon pinged me, and asked what the root of the technical issue was and if a creative solution might be possible. 1 said 
that I v/ouid chedc with you © Might you be able to cirde back vwth your tech team on this quesbon? If it would be 
even reniotely helpful, I y/ouldbe more than happy to join the technical Conversation as well. 

Thank you and team so ^ry much again forthetnJy heroicworkvou are doing- may the Force continue to be with 
you! 
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From; McGuinn ess, Tara 

Sent Satiirday, June,22, 2015 FM 

To’: TodcljS^as; Da\nd M^-Lee. 

Jesse C • ' 

Subject: Re this is great 


Also dsvid, maybe when you andtodd aremGAthisweeV,.Voucouid do some in -perscm press meetings: 


Park;; Todd; Srrias, E)av?d M,; LeCf Jese C. 


From: Bataille, Julie (CM^OC) tmalto:|_ 

Sent Saturday, June 22, 2013 10:14 PM 
To; McX^inne^,Tara;S}vaig. Bryan (HHS/IOS) ■ 
Subject: RE: this is great 


There fe a blog by Bryan in Sie wcxks along iirKs{Brv^ I,haN«n^seea latESt versian) ,but a^me theft could go 
irto an Knal rejatfi/ely quickly tbo —WH^qld thWc.wew^t that afnyto <^ea'^^i,ity,;vyerrfeffence^e ste in the 
press release Itself. Bryaii can piate ^ese prints at the In person press bd^g Mbn^ybutsibce titpse are r^liy 
heafthcare r^rters <rthw caiis on points is ppbabiy best to get this koiV out -am hoping the terii pieces cf tills 

will ^rye as some islidaib'bn for rhovirig in the right ainartiierdrectiDrias-am, worried the fisaiihcare folks are likely tn be 
disapponted that the appldatloh and pteh corr^re a’^'t yet iw e. Uat me krow what we can do to help. 

Me 


From: McGuinnes^ Tara: [ 

Sent Saturday, June 22, 2013 10:05 PM 
To; Sivak, Bryan (HHS/IOS); Park, Todd; Simas, David M.; Bataille; JuBs {QASf OC); Lee, Jes^ C.' 
Subject: Re: this is great 


'tjulie andjesse 


in addition to a tech press push and some mainstream folks who like to write about this, we should havean email 
drafted (bry'an tan you do that) that lays out whatweare doing and hypeHink sto morejntferertJng parts ofthe site^nd 
to this piece- this could go to tech elfies on mpnday. 1 have some Ideas about a list of feiks who ^puid receive such an 
emaii, hut you all might hava more. 

Todd, do you have a fist like that? I am on a techie -organizer ^ogle group. I can also check with OP E. ! might actuaity be 
better corning frorn an outside validator that os. 

-tara 


From: Sivalg Bryan (HHS^OS) TmaiitQ:! 

Sent: Saturday, June.22, 2013 07:51 PM 
To: Parlv .MpGUIhr7ess,7^ra;_Slmas, Dayid M. 
Subjecfe Re; tWs is gn&t 


Oh, one other thing; Todd is exactly right - this is the launch of the the “learn" side, which is the ihformational; "get 
prepared" content The actual marketplace laur^ches(obwously) October 1st, although tiiere vvii! be more functionaiity 
added, to hc.eov In thelnterim, such as the abdity to create acrouhti 


on Jun 22, 2013, at 19:14, "Sivak, Bryan (HHS/iOS)" < 


Wrote: 
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Longish stctfy. Alec has beea fbltowing this sinca we made the design dedsiots he descntie®,- roughly sbc 
months ago. As I think you guys know, we're in "roft iaunch" niode this weekend and are encouraging 
people to hold off on Monday to really "break® the news. Having said that, it's the internet and once 
something is put tteneyk’s out there. , , : 

IMHO, Mex put together a really _fanfssBc piec£ on the technicaf side of What we're doing. He nailed the 
importaneehot just for hc.oov but for gpvl: tech’ In a tiroader sen^ I kncw.tie's shopping this piece 
right now and he tofd me it might get picked up by one or two fergsr publications; 

There 3re,a few other tech details we're holding back unta Monday (for example, 
the htto://www.he3tlhcare.oavfde\'eloaer3 page),, which I'm pianriing on talking to ,a few other outlets on 
Monday ateutonce we're in ofBdaliaundi rnode: lassumeYPugiiys have cpnnectiaB at fairiy high 
levels, so if you want to put me in touch with people, Pm happy to talk today/tomorrow fora MorKlay 
pufaikab'on, or on Monday whenever. 

To ansvrer the spedfic questfcm about code and avaibbiEly ~ I've are going bo pubifeh the code this w«k 
(.maybe Maiday along the offfcial launch if everything works out). If you take a loofciat, the 

/developers page you'll see that we have detalisd the programmatic thechanis ms fbr.accessing ojntent, 
but have a "coming soon" where the links to the GitHub rqxis are.. 

Happy to answer any other questions., Ths is a paradigm shift for the federal government and the feet 
that its happening on heairhcar&oov is a realiy big deal for the bach comitiuntty.- 

&yan 


From; Park, Todd (HIHHHBHHBHI 
Seri: Saturday, dune 22, 2013 7:01 PM 

To: HcGuinness, Tara; Simas,- David M. ' 

Cc Sivak, Bryan (HH^OS) 

Sutgect: Re: this is great 

Looping Bryan — I believe what Alex, Howard is discusangin this (great) piece is the new. Healthcare.gov 
contentsite) which is up and rutrning, and for which the code has been posted on Gjthubfan oniloa; 
repository for open source code). The content site wiil front -^d the Marketplace - but the aettiai 
Martetplace' eii^faliity-theddhg/enrpllment/plan corripare fu nctionality is not up yet. Bryan, can you 
confirm/yaborate? Thankst 

Todd 


From; MrdMnness, Tara 
Sent: feturday, .Tune 22; 2013 06:08 PM 
To: Sirrtas, David M,; Park, Todd 
Subj^: Re: this is.great 

Yes. Good idea,, interesting - they found this up. No other reporters have found .it. , , 

I'll connect w; Folks about a push. Todd, i thought aii the ersde was gowg up iater;, not now, snt 1 wrong 
about that? 


From: Simas, David M. 

Setit; Saturday, June 22, 2qi3 04:39 PM 
To: M5GitinnB,s,.Tara; Park, Todd 
Subject: this is grrat 


Would be good if other tech related puhswntesomethihggood about this. 
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From: 

Sent 

To: 

Subject 


BatsJlIe, Julie (CMS/og <juBab^ii!e|||H||m 
Saturday, June 22, 2013 1014 fM 

McGuinness, Tara; Svak, Bryan OiHS/IOS); Pai^c, Todd; Stmas, David M,; Lee, Jesse C- 
Rt this is great , 


Bere:.;!s..a -bfcg^by BiyaQ Ja-tbejivcii?s.afoDg l±i£5eJtoEsXEQ®nl'haMeDlt.^n_latestm-am). but^gjme that could 9,0 

into an email reladvely quicWy too -would think we want that Bmad to oxte atailabiiifyj. ws r^erehca the site in the 
press release itself. Bryan carl mate these pa'nts at the h person ffess bribing Monday but since those are realty 
healthcare reporters other calls ot these pdnts is probably bed to get this stofy out -am hoping the tech pieces of teis 
wiilsi^e as k)me vaDdation for moving in therightcorjsumerdireclioo as am worried the healthcare folks are likely to be 
disapponted that tUe appidatbn and plan compare aren’t yet Ihre Let me know what we can do to help. 

Julie 


From: McGuinness, Tara [Tara D McGuinnessimPHIIIfllim 
Sent Saturday, 3ur« 22, 2013 10;OS PM 

To: Stvak> Bryan (HHS/IOS); Park, Todd; Smas, David M.; Bataifle, JuBe (CMS/OC); Jesse C 
Subjed; Re; this is great 

+ju!ie and Jesse 

In addition tq a tech press push and some mainsbeam folks' who like to write about this., we should have an email 
ck3fted‘tbry3n"C3rt7ou’dodiatjth3tiaYBDurvd\atwe"afe'dofrgand hyperlinks toTnore1ntete?ting'paTtrofthe'sitaBnri — 
to this piece- this could go to tedj elites on monday. I have some ideas about a list of folks who should receive such an 
email, but you all might have more- 

Todd, do you have a list like that? I am on a techfe -organizer google group. lean also check with OP E. I might actually be 
bettercomingfrom an outside validatorihat us. 

—tara 


From? Sval^; ^an rmaiito; i| 

Sent S^Fday/June 22, 20l3.f}7;Si PM . 
To:PartgToiad;;f!ScfiiJlnness/7ira^ E>avtc! M. 

&ibiect:.KeJ?hls,|5:greeft • 


Ohi'onsother thing; Todd Is exactly right - this Is the launch qfthe the "learn" slde^ whlch.lstheJnforfhatbhei, "get 
prepared" content The adtoat marketplace launches tobvioust^ October 1st, al^ugh fKere wiiiljE.mqrefon 
added to hc.Bov In the interim, such as the ability to create accounts. 


Oniun 22, 20.13, atl?.;I4,"5ly.9ly Bryan (HHS/ICK)" 

[ongish story., hag beM Wkj.wing tfife since We made the design decraors H dcOT-foe^ rcughfy 

[hqnths ago.; ' As I thinkyby .guys know,, in "sdt feunch" mode thfe vtSek^d and arg;.encouregirig 

peopfeto hold off on Monday to really die r>ews. Having said that it's the internet arid once ' 
something is out there, it's out there. 


IMHO, Afex put together a realty fontasfc i^ece' on the techrycal side of what we're doing. He nailed the 
impoctence net ju* for hcoov but for govt tech in a broader sense. I know he's shopping this piece 
right now and he told me it might get pideed up by «ie or two lar^r puhlfcations. 
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There are a few ctha; tech d^ils we're holding hack unHI Monday (for example, 
the htto;tfwmche3Rhcare.oov/tieveioD6rs page), whicft I'm planning on talking to a few other outlets on 
Monday abput once we’re in,dfla'al launch niode.- iajsama you guys have connetiions at fair) y high 
levels, so if ycu want to put me in toucfi with people. I'm happy te tdk today/tomorrow for a Monday 
publkatipn, or on Monday whenever. 

To answerthe spedfic question about code and aVailaKftr - we are going to publish the. cods this week 
(maybe Monday afong wiih the ofSdal launth if tever^hmg. works out). Xf you take a iook at the 
/developats page you’ll see feat we have detailed .the programmattc mschanisitis for accessing contaitj 
but have a 'coming soon” where ihe links. to the GStHiis repos are. 

ffeppy to answer any other cpeSions. Thfe fea paradgm shift for thefederat government and the feet 
thatiCs happening on he3lthc3re.oov is a really big deal for the tech communily. 


Bryan 
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From: 

Sent 

To- 

Subject 

Attachments 


Srvak, Bryan (HHS/IOSj 
Saturday, June 71 . 2013 1128 IW 

Bataiile, Julfe (Oi^S/OQ; MoGu&mes^ Tara; Park, Todd; Simas, David M.; Lee, Jesse C 
RE; this is greats 

launchbbgdraft'acCS06212Q13 - bds-aciJocx 


Here’s the latest version of the Kog poS, Veronica Jacteon ki.A^A has it and is ptann!r>g bn sending {t out through tie 
raularHHS clearance process nextweek -thetfipughtwastodbtheajr^lf^plarnedcampatanwithtraditfona^ press 
on f4onday(and Tuesday for the Spanish site) and then a cSayor^ later drop this for an additlonai press hit JuSFfI, 
there are a £x>uple of things th^ wfll probabV change dgitily yflth, the at^ed (I think vye have better pics of -tfe design 
team, as an example) b.utthe majority cf the content and the structure- Vvffl remain the. same. 

rmhappy to work this Into ah enail format for tech elites if you guyswantto.send something out on Monday... Tara, I 
krtow mc^ of the people on that ijoogie.group pretty vKifl, cah connect dtredJy with them; but keep in mind the/re 
primarity going to be social media arjplifiers as oppceed to baditionai media or w^ pubricaBons. 

I was planning on reacWng out to sorr® of the'tedi world puHlcations (TfechOwch^ QcpOrh, Wired, etc) ori Morciay 
poS-teundi to pteh the story. Happy .in cocstii.nate with any other outreach, toough. 

Todd, David - letme kixjw whoymu are going to see in CA, anyone, afxJwdiatdetai Is you need. Some of the usual 
suspects will already have some lifo but maybe ife wortfi hopping on a quicic call to discuss. 


From; Balaitte,, JuHe (CMS/OQ 
Sent; Saturday, June 22, 2013 10:14 PM 

To: McGuinness, Tara; Sivak, Bryan (HHS/IOS); Park, Todd; Smas, David M.; Les, Jesse C. 

Suy<3Ct; RE; this Is great 

There isa bbg by.Bryarv In the ivorks along these fines (Bryan I ha vent seai latest verson) but assume that couH go ■ 

Inta an em^l reladveiy. qufcWy too -would think we want ttwt timed to oode avaflabSity, we reference the site In the^ 
press, release itsefr; Bry'an can make these pa'nts at the in pffson press bri^n'g Moncfey but since those are really 
healthcare r^JOfters ether calls on these points is probaWy bedito get this stoy bul.-am .hoping the tech pieces ^ this 
will serve as, some vaHdafion fer moving in the right consumer direction as am worried the healihcar6' foil®' afSstikdy ID be . 
disapponted ;th^ the' appidatidn and plan torr^re-. arm'tyet Rv^, Let ti« know what we Qri tlo to help^ 

Julie 


From; M{^innes% Tara 
Senb'Setuitlay, June 22, 2013 10:05 W 
To: Sivak, Bry^, (HHS/IOS); Park, Tojd; Simas, David M.; Batal «e, Julie (CMS/OC); Lee^ Jesse C. 
aibject: Re:- this is great 


in addition to a tech.press push and some mainsteeam folks who like to write about this, we should havean email 
drafted {bi^'an can you do that) that lays out what we ars dor ng and hyperlinks to more -interesting parts of the site and 
to th'is piece- this cpuld go to tech elites on moridayJ have Some ideas abouta list of folks who should receive juch an 
email, but you all might have more, 

Todd, do you have a list like that? I am on a techie-organizer gooE^e group, lean also check with OPE. I might actualiy bs 
better coming from an outside validator that iiS; 
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http://e-pIuribu5unum.eom/2013/06/22/whv-the-wav-the-heakhc3re-gov-exchange-wa5-built-matter5/ 
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From: 

Sent 

To: 

Cc; 


Subject: 


Sivak. Bryan fflHSylOS) < 

Monday, Julyai,2013 l^PM 
Sriyder, Mirfielte ^CMS/OA) 

Bataille, Julie .(CM5/OQ; CKao, Sbo^, JoriG. (CMS/OQ; Wallace, Mary 

H, (CMS/OQ; Henpn, JuIa^pSWDSt Trenife,tony{CMS/QIS);Patd, Ketan (CMS/OQ; 
Park.Todct Bartmai\ fraiflcODS^ASA/OCIO); Monteleona, Timothy {OS/ASA); Bowen, 

^-M3!iann6-(CMS,©A);7Umste3rijNndraa£.(avi?/OAj;Kefr,JamesX^CMVCWHPO)^^ — 

Khalid, Aryana C (CM^^AJ Boulgi^er, Jennife L. (CMS) 

Re: HealthC 3 re.gov Open Soiifce Rdease 


I am more t&an &appy tobepoint on tfiis for any inquires from the BRIL Foe! freefo send then my way. 
Bn^n 



VVe are getting lots of questions aboutpnvacy.pro^m integrity etc from the Hill We need some q's- 

and b's on this believe me the questions wHl be asked tf there had beeri a broad discussiort about this 

t doubt that we would have agreed to imptefnent quite this way. vyho owns the story line on 
this? Copied Jennifer Ot needs to be In the loop going forward even all the activity bn the HUQ and 
ftiarfcetplica front. ' ' 

Michelle 


A^lchel[e;Snyder 
OiiefOperating Officer 
DHHS/CMS/QA 



From; Batallle,. 3uiie (CM^Oq 
Sent; SatUfday^ June 29, 20137:19 AM 

To: dvao^ Hehiy (CM^OIS); Booths Jort <3. (CMS/OC); Sfvak, Bry^ (HHS/IOS) 

Cc Wallecs, Mary H, (C Mg/00> Herroiiy 3uHa (OS/IpS); Tr^tfe/Tohy (O^/OIS); Patei; Ke^ 
(CMS/OG); Imi|iI I rniilBMBi Baltman, FrenR(dS/ASA/baO'))l^htdeoiie,.Tim^|^ 
(OS/ASA); Bowen, Marianne (CM^OA)j_Snyder; MlrfieBe (CM^OA); Armstead, Andrea E.- 

Sut(j^; Rei' H63!thCafia.dQV Open ^urce Retease 

Henry. We sharethe concerns and aretfYlnglohaIance marryinterestsas.weli.WeareexdtGdto.be at 
this ftoint. We shoyjd put this on theagenda for rharil^’s opstrieetingas weH J think arid have added 
aryanaas-weH. 


From: Chao, Henry (CMS/OIS) 

Serft: Friday^ June 28, 2013 10:1 1 PM 

To: Booth, 3on G. (CMS/OC); Stvak, Bryan (HHS/IOS); Bataille, Me (CM^OC) 

Cc: Wallace, Mary H. (C MS/OQ; HerrCT, J ulia (OS/IOS); Treri^, Tony ( CMS/OIS); Patel, Ketan 
(CMS/OQ; 'III I I I r Iil—HM Bartman, Prank 

{OS/fiSA/OCloy, Morrtdeon^ TlnK^hy (OS/ASA); Bcrwei\ Marianne (O1S/0A); Siyder, Mkbelte 
(CMS/OA); Armstead, Andrea E. (CMS/OA); Kerr, James T. (CMS/CMHPO) 
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Sutgecl: Re: HealthCare.ogv Open Source Release 

1 want to express ray reseivatfons about putting neatly aft tiis source coda for the haeov/Mairketolace 
Portal Website on Gittiufa and making it ayanabSolocafeof'rteiy anyonein the entire world ® use,. While 

in its current state it does not contaihth'eCOiJe for the Qniin'eApRlication, someone with Jess than 

honorable intentions can easily stand up a shadow a&that would fake out the general public and they 
can dq ft easiiy and literally in just a day or less. 

Wille I believeand support Sharing; and being open about our codebase I think we have to balance ®at 
withsafeguarding security, privacy, and the pubBo trust. 

I understand OC was told to do diis so ! am not ChaBenging that. What 1 am going to advocate tho ugh is 
that we draw the line here and at out next retease on 7/i5, which contains the beginnings of 
'MyAccount" where people can start subrrStttng their Pil that CMS wiil not be putting that entire 
co debase out for anyone to use. We can Woric on doing it in such a way that it makes it difficult for 
anyone to stand up a shadow/frfionysite if necessary. 

i‘ve copied Frank, Todd, and Micheiie to make sure they are aware ofthis and my position. 

Thanks, 

Henry Chao 

Deputy Chief information Officer and Deputy. Director 

Office of inform atfpn Services 

Centers for Medicares Medicaid Services 

7500 Security Bivd 

Baltimore, MD 21244 

■ {Prij 
(Alt) 

(SB) 


Fn5.r«: Booth, Jon a (CMS/OC) 

Sent: .ftiiay, June 28, 2013 08;2S PM 
To:5iV^ Bryan (HHS/IOS);..Bataille, Julie (CMS/OC) 

Cc Wallace,, Maty k (O^S/OG);. Herron, Julte (OS/IOS); Chao, Henry (CMS/QiS);iTrenWe,-Tony 
(CM^rOIS);. Patel, Ketan (CMS/OC) 

Subject: ilfflMlCare®y: Open source Release 

Bryan & Julie, 

I wanted to let you know that ®a HealthCareu^ov opensourcs release is now jive '{iniconjuncSon with the i-i 
release that we just pushed to prodoctiotj) , 

The Developers page-f KttDs://vvwW.h63Khcafe.gQv/devebDeV5 ) has been updatedwith a link® oUrCitHub 
repo, whirfi is located at https;//grthubxo m/GM5gov/HealthCare.gov Open-Sou rce-Refease 

Please let me know if you have any questions or feedback . 

Thanks, 


Jon 
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From: 

Sent 

To: 

Cc: 


Subject 


Srvak, (^HS/IOS} <■■■ 
Saftirday, June 2013 2^)9 M4 


Chao, Henry{CMS/0'TS) 

Booth,, Jon G. (dvlSAX]; 3atefflei Jufie (OylS/OQ;: Wallace, Mary R (CMS/OQ; Herron, 
Julia (OS/IOS); Trenkle,Tof^(CJ/lS/Cg^; Patel Keten (CMS/OQ; Park, Todd; Baitman, 


Frank (OS/ASA/OGO); Montdeon^ Timothy (OS/ASA); Bowen, Mananne (CMS/OA); 

— SnyderrMicheIle-lCMS/OA);Aiinsteacl-And^£.-(CMS/OA);-Kerr,.James-T. ^ — 

(CM5/CMHPO); KendaB, Danaris (HHS/PS) 

Re; Hea!thCare.gov Open Source.Rdease • 


Henry, 

I understand your concerns and am bappy to discuss this when I am back from vacation. Damaris can set up 
some time to talk, 

Bryan 


On Jun 29, 2013, at 4: 1 1, "Chao, Henry (CMS/OIS)" < 


1 want to express my reserv'ations about putting neariy the source a>de for the hc-gcjv/Mafketplace 
Portal Webdte on Github and making it av'ailabfe for absoJuteJy anyone In the e ntire woiid to use. VtfTille 
in its current state it does not contain the code for the Online Application, someone with less than 
honorable intentions can easily stand up a shadow site tiiatwould fake out the general public and they 
can do it easily and Sterally in just a day or less. 


While 1 believe and support sharing and being open ^>out our codebase i think we have to balance that 
with safepjardingsecuritY, privacy, and the publicist 


I un derstand OCwas toid to do this so I am not .diaflengihg that- VWiat I am going to advocate tho ugh Is ' 
that we draw the line here and at out next release on 7/15, which contains the beginnlrvgs of 
"MyAccbunf where people can start submitWng their PH that CMS will not be pu^hg that entire' 
codeba,sp out fbr.anyon e to use. We can woik on doing It in such a way that it makes it di^ciirft far 
anyone to stand up a shadow/phonysite If necessary. 


iVe copied Frank, Todd, and Michelle to rnake.sure they are asvare oflhis and my position. 


Thanks. 


Henry Chao 

Deputy Chlef information Officer and Deputy Director 

Office of information Services 

Centers for Medicare & Medicaid Services 

750Q Security Blvd 

Battimore, MD. 21244 
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From: BtwEft, Jon G. (CH^OC) 

Sent: aiday, June 28,i013 08:25 PM 

To; Shrak; aysn SatailiejJulie (cSlS/OC) 

0=. Wallace, Mary H. (CMS/OQ; Herron, Jiiia (OS/KB); Chao, Henry CCMS/OIS); Trenkis 
(CM^piS);;Pa!^, Ketan (CMS/OC) 

Subrject: 


Tony 


Bryan & Julie,. 


I wanted, to let you know that the HealtiiCareLigov open soilt'ce release is trow live (in conjunction - 
with the 1.1 release that we just pushed to prodnction). 

The Developers page f https'VAywtvJrealthcaTe.gov/develoners 1 has been updated with a link to 
our Gitliub repo, which is located at hitps://aidnib.comAJMSgov/Healtfa.Care.gov-Ooea-Souttte- 
Release 


Please let me know if you have any questions or feedback. 
Thanks, 


Jort 


z 
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From: 

Sent 

To: 

Cc 

Subject: 


Todd, 

Vjvian isTc«ld Park's scheduler so please send her the appointment for the 7/19 E&E walkthrough and any other 
tentative dates forihe other reviews. Todd mentioned he might not make it to all but would try to make the 19th and 
any others that he knows abo ut. 

Thanl^. 

Henry Chao 

Deputy Chief Inforrretton Officer and Deputy Director Office of Information Services Centers for Medicare & Medlcakl 
Servit^ 

7500 Security BK'd 
Baltimore, MO 23544 

■ m 

(Alt) 

(BBj 


Chao, Henry (CMS/OISj 
Tuesday, July 09, 2013 IhiB PM . 

Couts, Todd CCMS/OE) 

Grothe, Kirk A CGMSM9:OfoMaifca..(CMS/qi5); PaiA Todd; Graubard, Vwiari: Berkley, 
Katrina (CWS/O!^ Outerbridge, Monique fCMS/OIS) 

Sending Todd Park the salss of Readiness Walk Through appointments 
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From: 

Sent: 

To: 

Ccj 

Subject 

Hi spent five great hc«jrs,this evening with Henry ^ ctf your terfific IT team they are doing truly 

amazing work! 

When are you ne)d in DC? Wpuld tove^to see if we can get tQgelber Jo th^ next- few days or the beginning of next' week 
so that (a) i can run a summary fT status writeup by you> and which I will si4sequently review with MaHlyn {very high r 
level slide crtwo^ for presentation at art up corriingWHACA monthly meeting} and (b) we can go over high -fevei status 
of action on key red team recommendations. 

IthlnkSOminwouldbaenoughtime. We can call Henry in. Thoughts? 

Thankyoul 

Todd 


Park; Todd 

Wedne^ay; July iO, 2di3;i2^ AM 
michellejsnydef 

I ^ra^afd/ Vrvian: 


Kenryxhacj 


Getting tc^etier 
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From: 

Sent 
To: 

Cc, 

Subject: 

Todd, 

The m\\ Indude a citide !ntegrate:d appiicatipn for disajS£^on and internal review and wlH not have the com pare 

piece up and running ^recall the data will not be tc^eSterand vafidat^ fortesting until at least 8/15 and that's with a 
partial set). 

My recommendation is that the readiness review in which ^ve conduct is not really condudvefor being an observer at 
this point and we should stick tci the briefing format foryou at various intervals. 

Thanks. 


Henry Chao 

Deputy CIO &. Deputy Director, 

Office of information Servitss • 

C^tersfr^ Medicare & Medicaid Services 



To: T 3 Veoner> Marilyn tCMS/6A)> l^aifd, Aryana G (CM^OA); Snyder, Midiefle (CMS/OA); Chao, Hairy (CHS/OIS) 

Cc: ^ybard^iyi^OT 
SutiedSTWo dufek things 

HIMBrifyKAry^ayMIiAielleyandHeniYl Two quick iterhs: 

1. I Willie wOrkingonandsendmgyou draft slides ||||||||||||||[^^ they wif! basicaliy 

be a Powerpolfrt-jzed version oTthe Word d6cu,mentwer^e5?a!n*yPM?Pu|a^tme any comments by noon 
tomorrow, that, would be terrific would like at that point to send the slides to M^ik/Jeanne. fdr thelr review 

2. latfi very much {po.king forward to being a fly on the Wail at the E&E readiness review on the 19 * ITl be able tp 
attend from ilam to 4 pm. (a) is this still happening on the 19^? (b) Will this include a waii^hrough of the FFM 
web workflow. Including Plan Compare? The rrason I ask is that David Simas Is Very interested In belrig a fly on 
the wall fora. waRcthrough of the FFM web Workflow, and also would {tjve ro soak up a sen^ of th.e underiying 
complexity of the overaH Mktplace mac hlne. If the 19*** will include^ walkthrough of the FFIvj web wbjicflow, 
then wanted to ask if David could come with me (for some or ail of the time) he would really appreciate the 
opportunity, andA»Ut also doesn't want to disrupt things In anyway...,. (FY), fve briefed him in detail about the 
fact that we've locked down business requirements and are in pure operati'onaj execution mode for Oct 1/Jan 
1). Thoughts? 

l 


Tuesday, July 20B 

Park Tqdd;Tavenner, Maji};^'(CMVO^)i khafid, Aiyana C (CMS/OA); Snyder, Michelle 
(CMS/OA) 

Graubard, Vivian; Kerr, J^esT.CMS/CMHPO) 

RE: Two quick things 
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Thank you! 
Todd 
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From: 

Sent 

To: 


Cc 

Subject 


Snyder, Mlchslle (CM^OA) < 

Tuesday, July 2013 553 PM 
Park; Todd; Tavehner, Marilyn (CMS/OA); Khalld, Atyana C (CMS/OA); Chao, Henry 


(CMS/OIS) 

Graubard, Vfvsan 
Re: Two quick Siings 


We are in a hearing tomorrow and will not be able to ccMwnent untfl tfie afternoon at the earliest 

VVe need to talk abt attendance at readiness reviews. I an? sure you can antiripate my position on that 
Bys onthe wai! are sddom Invi^le and often distract inglHl 

Michelle 


Sent from my BlackSerry Wirdess Device 


From; Pari^ Todd fmaitoj 

fent; TueS^, 3u!y 2013 PH 
To: Tavainer, Marilyri (CMS/0A)> Khalid, Aryana C (GNG/OA); Snyder, Michelle f CMS/OAT; 
Cc: Graubard^ Vivian <| 

Subject; Tvvo quick IhSngs 


ChaOi Henry (CMS/OIS) 


Hi . Marilyn, Aryana, Mlchelfe, and Henryl Two quick items: 

1. I will be wqrb'ng on and sending you draftsUdes they wil! basIcaHy 

be a Powerpoint-ized version of the Word docurnentwefewSwea^tySitoulagEtme any comments by noon 
tomoiToWi that would be terrific would like at that point to send the 'slides to Mark/Jeanne-for their review ' 


2. larnverymuchteok]ngforwardtobeingaflyonthewa3Utthe€&Ereadlnessreviewonthel9 Flibeableto 
attend from 11am to 4 pm. (a) is this stillhappening on the 19*? (b) Will this Include, a walkthrough of t1^ FFM 
web workffow,Jnciuding Plan Compare? The reason Task is that Dayiisimas Is very interestedlh beihg a Ry or? 
the wall fbra 'walkthroughof the FFM web workflowi'and also would love to soak upaiserisef of theuriderl^ng 
complexity of the overall Mktplace machine. If the 19* Will indudea. walkthrough of the FFM web worlrflow, 
then wanted tpask if David could come withme (for someorall of the tirne). ho would, really appreiriate the 
obportuhfty, and/but also doesn't warrt to disruptthings in anyway...- (FYl, Tve briefed, him In detail about the 
feet that weVe locked down business requirements and are in pure operational execution mode for Oct i/Jan 
1). Thoughts? 


Thank you! 
Todd 
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From: 

Couts, Todd (CMS/piS} 

Sent 

Wednesday, July lO, 20H GiO 

To: 

Graubard, VMarr, Oiao, Heriry (CM VOIS) 

Cc; 

Grothe, Kirk A (CMS/013; Mark U. t^S/QIS); Park. Todd; Berkley, K^jna 
fCM^OrS; Outerbridge, Monique (CMs/OiS?' 

Subject 

RE; Sending Todd Parlc^ereries of Rfiadiness Walkthrough appointments- 

Hi Vivian, 


Here are the dates: 



1. Friday^ July 19 {9 to 4): Readiness Review Part 1 

2. Wed, July 24,(9 to 4)? Readiness Review Part 2 

3. Friday, August 2 (8:30 to 3|: Readiness Revi^ Part3 


Todd Couts 

Centers for Medicare & MedicaidServIces. 


OfR« of info; Services ( OansuTnerln^&fnsui^ceS^tems.^up. 

|[|||||||^^ j llllllllllllillll^^ { 

7700 Wi^hsfn Ave Bet^esda MD 20814 1 tocat1on:9308 


— Original Message — 

From; Graubard,, Vfvlw fmallto| 

Sent: Wednesday, 2013 11:28 AM 
To; &)uts^Tbdd,<CMS/Ol4 Oiao, Henry (CMS/OtS)' 

CcGrothe, iflrItA. {oyiS/OiS);Oh, MarkU,(CMS/01S); Paric, Todd; Ba-Jdey, Katrina (CMS/OIS); Outertiridge, Monique 
(CMS/OIS) 

Sii3]ect: RE: ^dlng Todd Park the series of Readiness Walk Hirraji^ appointtnents 


Thankybij, Henry* 


Todd,ifefor« sending the appointments; if you Wouldn't mind sendingme a list of'dates 1 need to bldckoff (or 
resdhedirfe around) ■« diatwould be great 


Th'ankS/, 

Vivian 


—-Original Message-r — 

From: Cout^ Todd (gyi$/0i$) f ma'iltoj 
Sent: Wednesday, July 10, 2013 8:24 AM 
To: Ciiao, Henry (CMS/OISj 

Cfci Grothe, Kirk A. (CM5/PIS); Oh, MerkU* (CMS/OIS); Park, Todd; Graufaard, Vivian; Beridey, Katrina (CMS/OlS); , 
Outerbridge, Monique(CMS/0i5) 

Subject’ RE: Sending Todd Parkthe series of Readiness Walkthrough appointments 


Yes, 1 will do that 


Todd Couts 
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lam fn DC thi$ Fndayand next Monday. lundenstandHenryish^tng With the write -up; Also got a question from 
Marffyn last nlghtahoMthaveAve "shut down the red team f thbk the red team fspretty much passe at this 

JuncAure our readiness review activity faiit we cast taikabcHi't that as well if you wish. 

Micftelle 


Michefle Snyder . 
Chief Operating Officer 
bmsfmsjOA 


From: Paric, Tockj OriiffisJBHBHHHH 
Sent WednesdaYt July 10^ 2013 12:56^ 

To: Snyder, Michelle (O^OA) 

Cg. Chao, Hen^ (CMS/OK); Graubard, VNfen 
Subject: Gettihg together 



Hi Mlcheltei spent hve great hours ffiis evening with Henry and ihe rest of your terrific iT team they are doing truly 

amazing work} 


WhOT are you next in DC? Would bve to see if we can get togetttK'in. the next feW days or the beginning of next we ek 
so that (a) ! can run a summary IT status writeup by you, and which I. vwli subsequ^jy re\riew with Marilyn (very; hlj^ 
ievfii slide or two, for pressita don at an upcoming VVH ACA mphdi^ meeting} and (bi'wp cah gp over high 4evel stetiis 
of atSion on key red team recwnmendations. 


I think 30 min would be enough time. We can call Henry In. Thoughts? 


Thank you! 
Todd 
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From: 

Sent 

To: 

Cc: 

Subject: 

Attachments: 


Park, Todd 

Vi^ednesday, Ju)y 17, 2013 1233 AM 
' Michelle.Snvder 'Marfyn.Taven 

'Aryana-Khalid Mi^^M^ ; 'heniy.chao 
Graubard, Vivian 
R£: Two quick things 
IT slide vlppix 


HI team, draftslIdeenctosed{hewscloseiy to the Word document) any edits by4 pm tomorrow (Vi^ednssday) would 
bs hugely appreciated, thanks! 


From: Park, Todd 

Serrt; Tuesday, JuV 16, 2013 7:10 PM 

To: 'Marilyn.T^venner 'Aryana.Khalid 

‘henrv.chBo fe^aggi^feHHI 

Cc: Graubard, Vivian 

Subject Re: Two quick things 

OK, no pri^lem - it looks like I only need to puttogether one slide, anditw'df adhe re tightly to and slmpiy summarize 
the points in the Word doc. Will send the slide to you tonight ~ if you could send me any edits by 4 pm tomorrow, that 
would be great; draft slides are beingdrculatedtoDeputiesfof comment at 5 pm, (it wilt take you 5 min to read the 
slide) 

And i/DavId won't come to the readiness revnews — don't want 
would happen even If we didn't say a single thing. 

(Win follow up later about a possible focused briefing se sslon for David and me in Baftimore that happens at the 
appropriate moment) 

May the Force be with you In the hearing tomorrow, 

Todd 


todistractcr disrupt, which upon reflection fsu^ect I 




From: Snyder, Michelfe (CMS/QA) F mailto: 

Sent Tuesday, July 16, 2013 05:53 PM 
T o: Park, Todd; Tavenner, Mari lyn (CN$^QA) < 

>; Oi3o, Henry (CMS/OE) <j 



; KhaFid, Aryana C. (CMS/OA) 


Cc: Graubard, Vivian 
Subject: Re; Two quick tiings 


We are in a hearing tomorrow and will not be able to comment until the afternoon at the ea rliest 


We need to talk abt attendance at readiness reviews, lam sure you can anticipate my position on that 
Flys on the wall are seldom invisible and often distracting!!!} 

Michelle 


1 


OSTP ACA 0007080 



264 



265 


^xU'hl'h ^ 


Sent: Thursday, JuJy 25, 2Q13 09:53 AM 


To: ParJg.Todd 
Cc Oh, Matl^ U 
Monique [(3^S/0.i5) < 

Baidey, Katriba {CMS/OltSy< 

<Lakslw5LManamhfe^| 

*P3uI.Weiss]|L 

Booth, Jon [CMS/0G),<|^ 

Subject: Walk through of the ohiine application in hcgov 


>; Cotib^ (CMS/blS) 

>•; Brothe, Kdc A 

»tR tone^ Rhonda D; (C MS/OK)~ 

^ braubard, <T]ch.martlr 

'^<che>Ylcanipbell^BBBBji^^C^Miroi.Maha fflb&du 

I <paill,Wets4H|H|||H^\^i!3^Marv H. (OViS/oa <1 



Todd, 

[f yc^ recall we had agreed to provide you a walk through and demo of the online application In tts currejit fiprm so.you 
cangetadTancetopeekunderthecoversofhc.gov. 

Michelle mentbned you contacted h er about this and that I should folfow-up wrth you to schedule the vvalkthrough. 


Katrina can work with Vivian to find a window ofopportunity next vtreek if you agree. 
Letus know. ‘ 


Thanks, 

Henry Cfiao’ . - 

Deputy Chlefinformation Officer and Deputy Director Office of Information Sendees Centers for Medicare & MecKcaki 

Se'ryl.ces.- ..... ■ 

75biJ Security Kvd 
Baltimore, MO 21244 

tPri) 

(At) 

(SB) 
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Fr^m:. 

Sent 

To: 

Cc; 

Subject 


Mie&e,DawnM- ’ ----- 

W^nesd^Syr July 31 * 2013 922 AM 
Snyder^MfcbeSd 0 ^S/OA); Parig Todd 
Graubard^Viyan' 

Rfc Walk throj^h bft!^Onft^^>fication ttihc;goY, 


Sounds good, please call Todd at I 


Best re^rds, 
Day^ Mselke 


C^ceofSdenceand Technology Polfcy 




— Ordinal Messa^ — 

FromjSnyder, Michelle (CMS/OA) [malltorj 
Sent Wednesd^, iufy 3 i, 2013 9:16 AM 
To: Park, Todd; Chao, Henry (Q/S/OIS) 

Cc: Graubard, Vlvrian; Mielk^ Dawn M- 

Subject RE; Walkthrough of the online application in hc,gov 

How about 9 : 45 ;-h 3 ve a nurhber you want me to call on? 

michefte 


AMchelje Snyder 
Chief Operating OfRcer 
DHHVCMS/pA 



— -Original M^sage- 
Frorn: parfc .Todd [msilto:| 

Sent: Wedno5daY,Tuly 3i,,2013S’:^2AM 

To:&y£fer, Mlcheir? ^CM^0A]; Chao, Henry (CMS/plS) 

Cct Oraubarc^ Vivian; Mlelkev Dawn M. 

Subjert: Re: Walk thfdugh.df the ohlfne application Inhcgov 


Hi Michelle, ^eat — Henry, please let nie know if Aiig 5 woiks fbrthe mtg below; if so. I’ll coordinate with Julian and 
Dasnd Sfmastotrytomake sure .thatwe can do, 1 visit with a!rpf u 5 >f^ sakepftLTie efficiency ft>r you ahd tearr^ 

And Michelle, wouldlove to chat! I can talk anytime between 930 and 10 : 30 , at 4 : 45 , orator any firhe after. 6 pm - do 
any of ffiose times work for you? 


Cheers, 

Todd 
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— Original Message — -- 
From: Paili, Todd [maiito 
Sent:Tuesday, July 30^ 

Toi Chao, H^rY{CM5/0is) 

Cc: Snyder, Michelle (CMS/OA) 

Subject RE: Walk tf>rough of the online appllcatton mhc-gpv 

Ht Henry and Michelle, just drciing back on the below, to see what general date range you think might makesense for 
this visit - would next week work? Just need to havea bitof advwK» time to fine dP Julian and David’s schedules {and 
I’m out the weekof August 12-16). Also: if you want to cutdown on the time of the visit, ratcheting it down to 
something mom like 60-*90 minutes, or modify the agenda in anyway, jUst.let me ^Ow.... 

Thoughts? Thanks! 

Todd 




— Ordinal Message-— 

From; Park, Todd ' 

Sent Thm>ciay ,jy|y25, aoi'3.a :gi PM 

To: 'henry.ch'ao|g|^B||||H 

Cc: 

Subject: Re: Wailc through the online application in hc.gcw 

Hi Henry, th anks so much! To provide more context, as rsbared vyidi Michelle, I'll be bringing David Simas and Julian 
Harris (Keith Fontenpt's successor, nEwlv:arrived}' with me. Would loye to (1) walk :^ro.ugh the current live online- 
workf!ow {ideallyfronn the start of the application through Plan Q)mpare and selection) aTid-{2)pfOvide the Opportunity 
for-Juli,antogetthelatestupdateon(a)rrdeVi{b)tesling,-and(c)opexationalprep.- - — • - 


mat^Sais whafMwerfpc the meting, but it woufcJ be great to dtowhirn (a)the ^flde you showed me with aH of the FT' 
modules/corrqsietion dates, (b) the testing summarv.forfedrageDciK,,state5, issu^ you. wrote bp reoehtly.ff.ti^nkfor 
soih€one'steit^,ony)/orsfrhirarmrteflal, and (c) a slide (ifyouhave ltjofkey opefatiphafizatioristep5{htgfi)e^^) on; 
the road to.Octlan^ bee r(e,g^ contrad:Xlet,c;enterXiiveietc.). 

BbthJulfehandpayldtbokgreatpalnslQask.thattheyfsItnQtbedi^ptivetGyourwork ~ l.ttiinkthatthemessagefp 
giveyafi the space to rockandroU Is spreacflng :) 

So I'fft thlriklnga focused .tvyo;-Ji.our visit, In DaWmore, going thru the live workflow, and using high -level matei^afsiYOp 
already have: 

Would week.be best, or'wpuld the week after be feett^, or i^uldefthet week^.fihe?- lhayeh’iyet pihged.pa . 
and Julian for tiielr avaUabiUty^ but wanted to see what was optima! fpryou firet'. It would be good to epmbirip both of 
theirvisitsjto save youtime. Thoughts on timing? 

Ivnchelle, ItwouJdbe terrific fbryog to join, — would be great for you to meet Julian and David, feth of whom a re terrific; 
and I’ve teld both of thern that you and.HeniY are pure awesomehess :)- 


Thanksl 

Todd 


— Original Message • — 

From: Chao, Henry (CMS/DiS) fmaHtb: 
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From: 

Sent 

To: 

Cc: 

Subject 


Snyder, Michdie tCMS^A) < 

Wedne$day. July 31, 2013 9:16 AM 
Park, Todd; Chao, Henry (CMVOC) 

Graifbai^ Vfvlan; ^ 

Walk through of thB-ctf#ieaR> 0 ^t*on in hcgoy 


How aboutt, 9 ! 4 S..h 3 va a numteryou want rhe to call on? 


michelle 


AMIchelleSr^yder 
Chief Operating Officer 
DHH 5 /CMS/ 0 A 



— Original Mes$3|^- 
From: Park, Todd [rnatfto.-J 
Sent; Wediiesday,. July 31,, 2013 8:3?AM 


To:ShYtier, MicheffefCM^OA); Chao, Henry {O^S/OIS} 

Cc; Q^ubardr'VIvian; Mrelkff, Dawn M. 

Sub|ect; Re; Walk through ofthsonllneappllqatfon tphagov 


Hi M}chell€> ^eat - Henry, please let me know if Aug 5 . works forthe mtgbefcw; if ay, {‘II arordina te with Julian and 
David Slitiasto try to make sure that we can do Iwsitwffh.airDfuy, for the sake of time efficiency forYDuandteani 

And Michelle, Would foye to chat! I can talk anytime between 9;30 and 1030 , at 4 : 45 ; or at orariy time after S pm - do 
any of those times work for you? 


Cheers, 
Todd . 


Original Message 

From: Michelle (CMS/OA) fmanto:| 

SentiAAfodnesday, July 31,, 2013 07:43 AM. 

to: Park,Tpdd;Ci^o, Henry jCMS/plS) < r~ 

Subject Re: Walk through of tfiepnllne applidation fo. be. gov. 



I tWnk Jufian was looking to be here on the 51 ^., Haven^ spoken with Henry as to, whether or not that works 

Al^ - tpdd ” is there a good time to call you today -1 have a propoatiin focyoti that doesn't inVe^ve marketplaces for a 
changelHii' 


Michelle 


Sent from my ^ackBerry Wireless oew'ce 
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From: 

Sent 

To: 

Cc. 

Subject: 


Park, Todd 

Wednesd^, Juty:3I, ^13 9:4^ 


Graubard, VivTa^ Midk^ DavmM^'monique-Outerfaridgel 


Todd.Coutsl 


Re: Watk through of the oriRhe applica'don in hc.gov 


Henry, absofutefyno problem, and again, please don't heatatetosaythat another day would work better - we want to 
prioritize your operational imperatives above all other things I 


— Original Message — 

Frorn: Chao,. H eriry (OSIS/OIS) {rTjai!to:| 

Sent: Wednesday, July 31, 2013 08:13 PM 
To: Park, Todd; Snyder, Michelle |CWS/OA),‘< 

G:: Graubard, Viv ian; Midke„ Dawn M.; Outer bridge, Monique (CMS/0!S}<| 
Todd (CMS/61S) 

Subject: Re: Walk through of the online application in hc.gov 


p; Gouts, 


I have asked the folks involved on tfie CMS and C6J sides if the 5th wilt work but it might take until tomorrow to confirm 
since It is the same people trying to get Lite Account launched, 

wm respond as eariy as possible tomorrow morning. " “ ' __ 


Henty Chao 

Deputy CiO,& Deputy Director, 

Office- of Information Services 
Center for Medicare & Medicaid Services 



on. 7/31/13 8:31 AM, "Park, Todd" 



wrote; 


>H1 IVTlcheile, great -* Henry, please let me know if Aug 5 wc^lcsfor tiie 
>rritg belbw; jf w, I'll coordinate with Julian and David Simas to try to 
>tn3ke sure that;we can do 1 visit with all of iis; for the sake of time 
>effidency for you and team. 

> 

>And Michelle, WDUid love to chatl 1 can talk anytime between 9:30 .arid 
>10:30, at 4:45, or at or any time after 6 pm - do any of those times 
>workforyou? 

> 

>Cheers, 
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>TDdd 

> 



>Sent from my BiackBerry Wireless Device 
> 

> 

> — Orfgitiai Ifesage -~- 

>From: Paric, Todd [mailtd:||||||||||||||||||||||||||||[|^|^ 

>Sent Tuesday, July 30^ 2013 09:43 PM 
>Tp; Chao, Henry {(JMS/Oisi 
>Ck Snyder, Michelle (CMS/OA) 

>Subject RE Walkthrough of the online application inhcgov 
> 

>Hi and Michelle, Just drclirig back on the bebw, to see what 

ageneral date range you think might make sense for this visit - would 
>nexl week work? Just need to have a bit of advance time to line up 
sJulian and David's schedules (and I’m out the week of August 12 -IB). 
>Also.“ ifyouwanttOcutdownontheb'meoftheyisit, ratcheting it 
Hiown tosomethingmore like S0-9D minutes, or modify the agenda in any 
>way, just let me know.... 

> 

>ThDUghts? Thanks! 

>Tcdd 


-—Original Message— 

Trom; Park, Todd 

■Sent; Thursday, Jt^^^^rOl PM 
>To; ’henty.chacmHUIIH^^ . 

Cc: 'Mfchelie.$h^^|||[|m||^H|| 

■Subject: Re: Walk through oftheoniine application in htgov. 


•Hi Henry, thanks so muchl To proyfde more context, as (shared with 
■Michelle, J'i! be bringing David Simas and Julian Harris (Keith: 
•Fontehot's successor, neiyiy arrived) with rite. Would ktye to (1 j waflCT 
-thfougti the current live online workflow (idealfy from the startof the 
■application [through Plan Compare and selection) and (2) provide.the 
■opportUtiity for Julian to get the latest update on (a) FT dev, (b) 

•testirig, and fcj operatipriat prep. 
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>For {2}, Julian is interested In one level of detel! belowthie 
^presentation., I would not prepare any custom rnateriaiswhatsoeverfor 
>the meeting, but it Would be great to show him (a)the slide you showeti 
vme with all of the ITmpduies/compIetiOn dates, (b) the testjrig summary 
>for fed agencies, states, issuers you wrote up recently (1 think for 
>someone's testirriony), or sithiiar material, and (c) a slide (if you have 
>it) of key bperationalizatiDn steps (high level) on lhe road to Oct 1 
>and Dee 1 {e.g., contract X let, centerX live, etc.). 

> 

>Bpth Julian and David took great pains to ask th_at the visit not be 
>disruptiV6 to your work: - 1 think that the message to give y’al! the 
>spacetD tbck and roll is spreading rj 
> 

>So I'm thinking a focused two -hour visit, in Baltimore, going thru the 
>liveWorkfloWj and using high -level materials you already have. 

> 

>Would next week be best, or would the week after be better, or would 
>eifher week be fine? I hauentyet pinged David and Julian fbrtheir 
>avaHability, but wanted to see what was’optirnal for you first. It 
>would be good to combine both of their visits, to save you time. 
>ThoughtS on timing? 

> 

>MicheHe, it wouid be terrific for you to join would be great for 

>you to meet Julian and David, both ofwhom are terrific; and iVe toid 
>6ptfibffhinrtbatYOu’aOTlflenrY"arepu7e^vves6mehess:I 


sThan.la! 

>Todd 

> 


> — Original Message,- 
>FromiChao, Henry (CMS/OISJ [mailto:|_ 
sSenitThur^^, July 25, 2013 09:53 AM 
>To:,Par!c,’TD.dd 
>Cc:;Qb> Mdijiu(;cMyQlS)'<| 


>05Uts,Todd{CMS/01S) 


oOuterbrIdge, Monique (CMS/QIS) 

' ;erpthe; KirfcA (CWiyblS) 

Sj^Berkley, Katrina (CMS/015) 

R.hpnes, Rhonda.D; (CMS/OlS) 

■; Graubard, Vtviari;. 

^ch.martii( 

tficheryl.campbell | 

<Laksbmi,Manamhedu | 
’<!yiark;C^ etn| 

liRauLWeis^lllllllllllllllll^lllPTWaiiac^^ Mery Hi 
5Booth,JpnGi(CMS/OC) 


>'rich.triattii 
>'cher^,,Batti|Jbe|l| 

>'Laksfimi.ManahMdu| 

>'Mai3c.£:atera 
>'PauI.Weiss| 

>(CMS/dCj^ 

H . , _ , 

>Swblect:: Walkthrou^of the online application In hc.gov 



>Todd, 
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>ff you recafJ we fiad agreed to provide you 3 walkthrough and demo of 
>the online appircatidn In its current fomi so’yQU'can gi^a drahce to 
>psekyndertheoovers Df.hc.gov. \ • 

> 

>MfcheHe menttoned you contacted her about this and ftatl should 
>fc!llow-up with you to schedule the walk through. 

> 

>fCatrlna can work with Vhdan to find a window of opportunity h^ week 
>ifyouagree. 

> 

>Letusknow- 

> 

>Thanks. 

> 

>Henrv Chao 

>Deputy Chief Information Officer and Deputy Director Office of 
>lnformation Services Centers for Medicare & Medicaid Servic es 
>7500 Security 8Krd 
>BaitimOrei MD 21244 


1B51 


4 


OS7P ACA 0007333 


273 


Fromi 

Sent 

To: 

Cc. 

Subject; 


Chao, Heipty 

TThur^day, Augu^Ol, 2®i3it20PM 
Parl<, Todd; SnjdeTj Mididfe ^CM^OA) 

Graubard, Viyiah; MiMlc^Dawn Outedsndge, Monique (CMS/OIS); Gouts, Todd 
(CMS/OIS); Wa!fe,ce,.Maiy.a (CMS/OQ Booth. Jon G. (CMS/OQ 
Re'; Walk through of the oirttne in hc.gov 


Todd, 

We.have Lite Account Roll out through Monday and Issuer/trades.comihgin on Tuesday so earliest would be Wednesday 
or Thursday. 

Henry Chao 

Depu^ Chief information Officer and Deputy director Office of infonnatfon Services Centers for Medicare & Medicaid 
Services 

7500 Seoirlty B!vd •. 

Ba!t3mpre^.MO 21^44 

I (Prij 
W 
W 

— OrigmaLMsssage'-^- " : 

From: Parkf Todd [mai!to| 

Sgnt':TOr5day;'AuJiBt0372m3^ 

To: Chao, Henry (CMS /Oi^i'Snydef, Michelie jCMS/OA) 

Cc:Grauba'rd/Vivlan<|||||||HIHIH||[|H[B9Bi'f 

Oi^erbfidge, Monigue^CMS/01S),'Couts, Todd (C(yiS/01S} 

Subject RS: Walkthrough of fte onllne appllcatfon In hc.gov 



HI'Henry/Michellej Just some additional schedulingjiitel to.cohsWer David Simas could be atd^S onjMphday' beti^een 
IQ an43-2t3CX JiaHan will be there all morning and says that he has meetings hrom 10 to 12. if Monday is a good'day to: 
dd tJTe.>d5it -an'd agalh, evstvone Is TOtAllV good with doing It another day, if that is, better foryou r- perhaps; We try to 
do.something In the IQto 12 wlndoWgn,Ma'i4cetplace workflow walkthrough and general tech/bps updates, .and Julian’s; 
oti^er CM^meetings get moved earlier? 

And again, totally good with picking another day entirely -just let us know, thanksl 


— Original Message-— 

From: Park, Tbdd 

Sent WednesdayjJulyBl, 2013^:43 PM 
To: 'heniy.ch3o||[||||||i^ 'Michelleinydef | 

Cc: Graubard, Vivian; Mtelke, Dawn M:;.‘mpnique.out«rbndge | 
Subject ReiWalk through of the onlineappllcatlon in htgov 


ToddCputsI 


Henry, absolutely no problem, and again, please dqn^ hesitate to say that anoLher day would work better' - we want to 
prioritize your operational imperatives above ail other things! 
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Original Message — 

From: Cfeo# Henry (CM5/01S| 

Sent? JufyS:^ 2013 68:13 

To: Parle, todcr; Snyder, Michene.{CM5/dAJ<| 

Cc: Graubard, Vlv lar^M^kd»DawnM;rduteiW dge^'Monlq6g(CMS^0IS) <| 
Todd [CMS/Olsl<||||||||^^ 

Subject Re: Walk through of the online application in Kagw 


■; Gouts; 


1 have asked the folks Involved on.the.CMS and CGI’ sides if the 5th will work but it might take until tomorrow to confirm 
since it is the same people trying to get Lite Account lynched.. 


Will respond as earfy as possible tomorrow morning. 


Henry Chao 

Deputy CIO & Deputy Director^ 

Office of Infonnstlon Services 
Gentets for Medicare & Medicaid Services 



On 7/31/13 8:31 AM, "Park, Todd" 


wrote; 


>K Mldtelle, great ~ Henry, please let me know ff Aug 5 worics fc^ ^e 
>TTitgbe|ow;lfM, I’H coorcTinate with Julian and David Sinias;totrytp. 
>make.sur€;tliatwe candol visit with all of us, for the sakeof dme 
>efficifincyh:^VpU?hdteahii, • 

> 

:>And Michelle^ would love to chat! I can talk anytime between 9:30 and 
>lQ:30,at4:45/orat.o.ranYi:icT|e^er6pm.~do any ofthose times 

>wprkfi>i::Y<^^ 


>theers,. 

>Todd 

> 


>T— .Orfgma! Message — ^ 

>Frorh:^Yder, MTchelie (CMS/OA) {mailtorj 
>SBnt; Wednesday, July 31, 2013 67;4S AM^ 

>To: Park, Todd; Chao, Henry (CM570IS) < 

>SubjecU Re: Walkthrou^ of the online application fri heg^^* 



>} think Julian was looldngtb be here on the 5tfi. Hav€Si.‘t spoken wliJi 
>Henry astowhetheror not that worics 


>Al50 - Todd - is there a good time to cal! you today - 1 have a 
>proposltiln for you that doesn't Involve marketp{aces:for a thangeUlll,' 
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>Michelle 


>Sent from my BiackSerry Wireless Device 


>— Original Message - 
>From: Park, Todd tmalltd;| 

>Sent: Tuesday, July 30, 2013 03:43 PM 
>To: Chao, Henry (CMS/0!S) 

>Cc; Snyder, Michelle (CMS/OA) 

^Subject RE; Walk through of the online application in hc-gov 
> 

>Hi Henry and Michelle, Just cirding back on the betow, to see what 
>gerieral date range you think might make sefise for this wistt would 
>next week work? itjst need to have a bit of atfva nee time to line up 
>Julian and David's schedules (and !'m outthe week of August 12-16). 
>Also; Jfyou wantto cut downon thetimeofthevisitratcheting-it. 

>dQwn to somethlngmorelikeBO-SOminutes, or modify. theagenda in any- 
>wav,iust let me know..... 


>Thbughts? Thanks! 

>Todd 
> 

> — ^Original Message- 
kPram: Parl^ Todd 

>S'ent tburs(iiy7JiW^5,"^W3 ’ 

p-To'; ‘hewyichatf” 

>Cc: 'Mkhelle-Snydiei 
kSubJect Re Walkthrough of the online application lit htgoy 


>Hi,HenrV', thahlcs somuch! To provide more eori'text, as ! shafedvji^ 
kMichell^ I'll bebringing.David'Slmas3ndJuli3nHarris(Keit}i 
sFontenot’s.sucdessor, newly arrived) with trie. Would loiveto (1) walk 
ktitrffljghthe curreptlive rjniine workflow (ideally from the of the. 

kappjicatirstj through pjan.Cotri pare and selection) and (2) provide the 
popportunity for Julian to get toe latest update on (a) IT rjev, (b) 

^testing, and (c) operational prep. 

> 

>For (2), Julian is interested In one level of detail below toe Sm 
ppresentaBoti. I would not prepare any custom materials whatsciever for 
>the meeting, but It Would be great to show, him (a) the slide you showed 
>mE with all of the IT rnodules/complelion dates, (b) .the teSting summaiV 
>foc fed agencies, states, issuers you.yvmte up. recently (I think for 
sEotneone's testlmonv), or similar material, and (c) aslide (if you have 
>it) of tey operatidnaUzation steps (high level) pri the roa d tp Oct 1 
>and Dec 1 (e.g., contract X let, renter X live, etc.). 


>Boto Julian and David took great pains to ask that toe. visit pot be 
>disnjpfive to your work - 1 think that the message to give y’all toe 
>spaca to rockand roll is spreading :j 
> 

>5o I'm toinMng a focused two-hour visit, in Baltimore, going thru the 
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>!ive workflow, and Using high-level materials you already have. 

> 

>Would new vveak be best, or would the week after be better, or would 
seitherweekbefine? I haven't yet pinged David and Julian for their 
savatiability, bulwantedtoseewhatwasbptiftalfdryou’fifst; it 
>WQuldbegoodtg combine both of their visits, to save you time. 
>Thbughts on timing? 

> 

sMfchelie, it would be ten-tncforyou to join - would be great for 
>yoa to meet Julian and David, both of whorti are terriSe; and iVe told 
>both of them that you ahd Henry are pure aWesomeness ;) 

> 

sThanks} 

>Todd 

> 


> — Onginal Message 
>From: Chao, Henry ((MS/OISj [mailtO;| 
>Sent.' Thursday, Juiy 25, 2013 0953 AM 
^TotParkjTpdd 

>cc.-,.ob, if arky. {qypifois} 


Vrttmrtfrj 

>’cherYl,campb^ | 

>'Lalcshmf,ManaHit^u| 

ypaajiWaisil 


•; Gouts, Todd (CMS/OB) 
Qtaerbridge, Monique (CMS/OIS) 

■; Grothe, KrkA (CMS/OIS) 

^BetWeyi Katrina (CMS/biS) 

fihones, Rhonda O. (CMS/OIS) 

■; Graubardjt^'Ont 

■ctichana rtir^ 

<cherYl Campbell 

<Lalc^rn).Manambedu| 

kM3.rk.ca.lanj|||^H^HH^/ 
|J|l%QLWe!5s|||m^^H|||^^aiiace)M3ry,H, 
■;8ootii,k>nGi(dfS/pC) 



sSubJecbf&HtlhitJUgh'oftiie qnlihe application in hegoy 
> 

sTddcJ,, 

> 

>if you recall tye had agreed to provide you a walkthrough and demo of 
>tiieonirne appIKation in its cuf rent fo rm so you cangettf Chance to 
>peek under the covers of hc.gov. ■ 

> 

>Michclte menlionedyoii Contacted herabout this arid thatl shbuid 
sfoHow-up with you to schedule the walk through. 

> 

SKatrlna can. work with Vivian to find a window of opportunity next weefe 
>if you agree. 


>Letu5 know, 
> 

sThanks. 

> 


>HenrY Chao 
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From; 

Sent 

To: 

Cc 

Sul^ecf; 


Paric. Todd 
Thursday, AugMstOI, 2013 120 PM 


‘hehry-chaoj 


(/'Mich'eliei^yderj 


Qraubai^ Viyar^ Mieike, Dawn M; 'monlqua-oui^ridgel 


RE;-Wa!k Ifirough of the -online app0catidnfnhd.gQV 


’tbdd.Cput?! 


Apologies additional scheduleinteL It turns out that David Sitras can b€outoftheo:fficeffpml0tol2:30, INfCLUOiNG 
travel time. -So'; what could worlq perhaps, ii an 11 to 12:30 rheetihgih Bait^ote, where the RrstASinfnutesIs a 
walkthrough of ttie five user workflow (with David; Julian, and ine) and the second, 45 mfhutesls the general tech/ops 
update (with |ust JuBan and me). fljTd again, iFthls doesn't wori: feryou, totally cqo!, we’lt schedule it for some other 
day. Just let us know, thanksi 


— Original Massage — 

From: Paric, Tcdd 

Sent: Thursday, August 01, 2013 l.:ll PM 

Q:; 0-aubard, Vivian; Mielke> Dawn M,;-'moniqu&outarbridge| 
5ti»|ect RO: Walk through of the onGne application In hcgov 


i 'Tocld.Cautsi 


- Hi-Henry/MicheI'eriust-^me-^3cklltionalsdieditfng-Jnteltoconsidef-“>-£>a'tid-5jrrQs^cpuld-beatQyi^n Monday between- 
10 and i2'30. Julian wlJ be there ail morning, .and says that he hasmeetings from 10 to 12.- If-Mondayis 3 good day to 
dothe iAshi^ and 3galrire\teVybneis TOTAliy gtodWith;demg ft arKitiieTday;rf that Is bettor for yoTJ - pe^^ wetfy^to 
dosometomginthe lOtoliw'ndowon Marketplace WM-kflow walkthrough and generai tech/ops u pdates, and Julian's 
other CMS meetings get moved earlier? 


Andagain, totat}y good with picking another day entirely Just letus Jmow^ thahksJ 


— “O.rlglhal Messge— - 
From*. Park, Todd 


Sent; Wednesd ay, JUty 31,2013 9:43 PM 
To; 'behFy,,cfiai^|[|||^^ 'fyllcfieJie.Snyda 
Cc: Graubard, Vivian; Mfelke,pqwri M.jy onjquQ.outerbndgB | 
subject Rd: Wafk.tiirou^ of the ontneapplicatjon in hc.©3v 


i T'pdd^Coutel 


Henry, absolute^ no problem, and again, please don^ hesitate to siythat another day Would work betteit ~ we want to 
pnoritize your operational imperatives above' all Ollier thlngsl. 


— Origirai Message — 

From; Chap, Henry (CMS/0iS| [mafltorj 

Sent Wednesday, JiilySl, 201305:13 PM 

To; Park, Toddj Snyder; Mlchelia (CMS/pA) < 

Cc: Graubard, vMan; Miefe, pawn M .; tjuterb ridge, MortquafcMS/pisj ^ j 

Sub|ect Re: Walkthrough of' the online application in hc.gov 


Coots, 
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^Deputy Chief lirformgtlon Officer and Deputy CHretJqr Office of 
>fnfonhat!C>n Services Centers for Medicare & Medicaid Seiw es 
>7500' SMiirity BVd 
>^idmofei MD 21244 
(Prf) 

(Alt) 

(BB)< 
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From: 

Sent 

To: 

Cc 


Subject 


ParlQ Todd 

Thursday, August 01, 2013 3i)3 PM 
Harris, Julian; Sfma?, CSvidM. . 


Mieikft Daiivn M4 Graulacud, riif<iidle3riyder| 

henry.d^ao||||i[i|||||^^ Outeri>ridge!, Monique (CMS/Oi^; Cou^ Todd (CMSA1I5); 
Wallace* Mary H. (C3vlS/OQ; Bobtft; Jon 64CMS/0Q 
RE: CMS visit update — Wed or Fri next week possible? 


Sony, resendmgvdth corrected ema'isubjectline © 


Froros Park, Todd 

Sent: Thur^^, August 01, 2013 3:03 PM 

To; fferrfe, juibn; Dai.^d M. . ■ 

to Mlelks> M.; Graubard, Vivbn; mldidfe^rTv dg-^ mffi[gg | Outerbiidge, Monique 

(CMS/pig^Owts, Todd (CMS/pB); Wallace, Mary H* (<>1S/OQ> Boom/3on G. (CMS/CK^ 

Si&jecfc CMS visit update — Wed or Thurs next week, possible? 

HI Jullaiiand David, willi respect to the OAS Markg^lace live workflow walkthrou^ tech ops update meeting; it looks 
like the eariffistthe CMS tech team can do the meeting is: Wed (8/7},Thur5 {8/8), or Friday (8/9) tiext we^. (Mon/Tues 
vwll be consumed by Lite Account roHoutand Issuer meetings). 

-l-couJd-eonc-ervably-dO'a-GMS-vislt-ths-mGrning-of'Wedr8/^nytime43etweerv8-andrl4-j30(Fd-havetbJ€ave^altlmore — 

t^lli-30), orthe rTinrmng_nf FrirfayjS/d .anyflmp Kohttf>f.n gapir^ 1->prr^ J ... 

Julian/Davld, would either/both ofthose slots woricforyou? 

I think WB*re looking flar a 90 minute block of time to be in Baltimore {the workflow WaikthroUgh/dlscussIpn Would be 45 
mlnutesoftihat time). 

Loo^ngTeam QVlSand Dawn/VIv.,,. 

DawnA^ivWill help coordinate...!. Hopefully we can find a time next week that works for ail.... Thanks! 

Todd 
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From? 

Sent: 

To: 

Cc: 


Subject; 


Park, Todd 

■nSursday, August 01^ 201$ 3X33 PM 


Harris, Julian; CavW M. 

Mlelk^ Dawn.h^ \^fl^ii«chdle.snyd?F| 

henry.(Jiab|||||||||||i|^^ ^ferfend^ Monique (CMSjpIS): touts, Tcxld {CM^pIS^; 
Wallace, Mary a iOAS/Oq^Boo^ Jbn S (CMS/Oq, 

CMS visit update — Wed oirfliurs next wed( possible? 


Hi Julian and David, with respect to the CMS Marke^br^ Ihre workflow walkdinough/tech ops update meeting: it looks 
like ifra earfest the CMS team can dp tile meeting is Wed iB/T), Thors {S/SJ, or Friday (S/9) next Week.; (Moh/Tues 

will be consumed by Ute Account rollout and issuer meetings). 

i.could txinceivabiy do a CMS visit the morning ofWed> 8/7, anytime between 8 and lI;30.{Fd have to ieare Baltimore 
by 11:30)> orthe morning of Fndaft 8/9j anytime bfitweertSand l2pnV-. 

Julran/D.avid, would either/faoth of those slots work for you?' 

I think we' re fooking fora 90 minute block of time to bfe in Baltimore (the workflow walkthrc^gh/discyssion wcjuld be 45 
mlnutesof thatttine). 

Looping Team CMS and Dawn/\fiv,.., 

Da wn/Vw will help coordinate.... Hopefully we can find a time nortweek that works for all.... Thanks'! 

Todd 
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From: 

Sent 

To: 

Cc 

Subject* 


Chac^ Henry-(Crv*S^^ < 

Thursday, August Ql, 2013 4:28 
Park^ Todd; Harris, iullai^ Sima^ Darid M. 

MIelke, Dawn Gfaubar4,,Viwan; Snjder, MIohelle (CMS/OA); Outertridge, Mgniqye 
(CMS/OIS); Couts, Todd Wallace, Mary H. (CMS/OQ; BDoi. Jon,G: [CMS/UQ 

Re: CMS virft update Wad orfri next week possible? 


Best time for my staff and CGi Is Friday 8/9. 


Henry'Chao 

Depu^ CiO & Deputy Drector, 

Office of infomiadbn Services 
Cento:? for Medicare & MedfcaldServtces 



From:' Todd Park 

D^e:Ttili,.l.Aug,2018;i9^3:2:4;fS)f© 

To:''Hanis,:Jul5an“ 

Cc: ”Mfelk^ Dawn 
Mld3e^e;^yder;<|_ 

Sol^ect ftE:CMSvisit update— Wed or FritioftWedc posable? 



Sorry, resendiiigwithccsrectedanaH subject l&ie © 


From: Fade, Todd 

$entf Tliured^, August 01> 201? 3:03 PM 

To: Hards, JulldfipSmaS/ David M. 

Cc: Mlelkd; (^ubard/>VMan; mlcheiie.snvdet| JJ||mBj hg>fv.chacg gUJ§ Out^ndge, Mtsiidue 

(CM^Oigj COut^Tddd (Cm/QlS)} Wallace, Mary H. (CM^/OG);- Booth, 3on G. (CMS/OG) 

^iiBjecfc CMS visit' update — Wed orThurs next week possible? 

HI Julfanand David, v\^th respact’to the CMSMafketpla,celh/ewc>r^ow.wa.lkthrp,ugh/tech ops update meeting:. It looks 
like the earliest the CMS tech learn can do the meeting is. Wed (8/7); Thurs • {^8), or Friday (8/9) nekt.week. (Mon/Tues 
will be consumed byUte. Account rollout and issuer meetings). 


1 could conceivably do a CMS visit the morning of Wed, S/7, anytime betweHi 8 and.ll:30 (I'd have to leave Baltimore 
by lii30}, or the morning of Friday, 8/9, anytime between 8 and 12 pm. 

JuHan/DgvId, would either/both of those slots workfof you? 


i think we*fe looklngfor a 9D minute block of time to be in Baltimore (the workflow walfcthrough/discussion would be 45 
minutes of tiiattime). 

Looping Team CMS and Dawn/Viv.... 

Dawn/Vivwiil help coordinate.... Hopefully we can find a time nert week that works for Thanksl 
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Todd 
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Ff<w; Todd Park <i 
Date: Thu, 1 AugaplS- mm 


To:, ’’Hams, Julian" 

Cc: ^’Mrelke, Daw^ 
Midiefte Snyder 


Subject: RE: CMS visit update— Wed dr Fri n€Sd:we^ j»s^e? 



Monique Outerbridgs 
MaryWallape 


Sorry, fesencEng with corrected email subject fine © 


From: Park, Todd 

Sent: Thursday, Augu^ 01, 2013 3:03 

To: tterrlsi JrJiari; Smas, Da\^d M, 

Cc: MieUcei Dawn M.;: C^aubard, 'michelle.sriv da^J|||||||JJ| heniv.ch3{^ jg|||||)||j[| ©JterbHdae. Mphlbue 
(CM^OIS); Gqute/Todd 'tCMS/DiS^^ (CMS/OQ; Booth,Jpna CCMS/OQ 

Subjedt OlSvIst update —Wed dr Thurs next week possible? 

Hi duUanand David, wlih respecttotheGMSMarke^Saceiw'eworkfldww^ktilrpugh/tecHopsvjsdatemeeting: Itlboks 
iikethe earfiertihe CMS ;teefn can do the meeting is Wed {8/7), Jhurs (8/8), o r.-Foday (8/9) next week. (Mpn/Tu^ 
wiflbecohsuinedbvLiteActountroltoutahd issuermeetingsj. '• - 

I could conceivably do a CMSyisitthe morning of Wed, 8/7,. ai^ime between Sand 11:30 (fd. have to leaveSa'ttmore 
by 1130), orthe morning of Friday, 8/9, anytime between Saixi lipiru 

-JufiahyDavldrwould-e.ither/bGth'Ofthdsesiots-Work-fpryou?- 

1 think we're iooldngfbra 90 minute block of time to te in Baltimore (the workflow walkthrough/discusaon would be 45 
minutes of tfiat time). 

Looping Team CMS;and03wn/Vrv-v 

Dawn/Viv will help coordinate..,. Hopefully we can nnd'a titre next week that works for a1i;,...'1hahksl.. 


Todd 
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aiigtsct:: Re: visit update — Wed or fri ne<t wedc possible? 

Can yoflgjye me a call real quid:? 


Henry ctiao 

Deputy Chief infonna&n Officer and Deputy Director 

Office of Infomiertion Service? 

center? tor fyieditere & Medlteid Seryites 

7500 Security Bfvd 

Baten^/Mi>2i244 

' ' iCPfi) ■ 

KAIt) 



From: terl^Todd £roalto | 

Sent Thursday, A ugust, 01^ 200 QgSfr Pft; 
Toutfernsj Juljatt <r 



•; Chao, Henry CCMS/blS);aiTas, DayH M, 


Ce: Mfelk^ ^wn M..9<;|||||||||H|||||||m|||||[|m>,- Qoubaid, Uman Snyder, 

Mrc!ye(OTS/C5A>! e)u tetbtMge, Monique {affi/OIS);-Cbuts, Todd (CjMS/0i5)jWallate, Mary H.(GMS/OC)f Boolfi/jdn 

Saljf^: RE: OTS update Wed or Fft nextwedt posabJe? 

How about Thursday, 8/8, starting St s pm (or later)? (Henry, we should be bade fri) m Culpeper by then, yes?) 


Fromt.HaitiSyduliaa 

Sent! Hwisaa fe Aug^ Qt, 2a i3.r}:;49: PM 

To: 'fienryitJiW! jHBBBB; Simas, David M- 

Ob Mte^ Pawit MiTGrauba rtf, VMan) 'Mi diefeS.byddrBi^BBBi 'morjiquejdut erbriddC | 
Todd.CoutsHliilB^'Mary.Wa1lace||^HH[^Pon!^oui|BBBH[ 

^yeeb ;R&' CMSTvSiit' update- W&brWhsxtwedfpc&'We?. 


I'm unavailableot) Friday.. 


From: Chad, Henry (CM^pIS) f mailfed 
SOTfc.Thtiistfay,' Augu^’ Qi,..2013 04:27 PM 
To; .Parti, Todd; Barns, Ju|en;i Simas, DavSd M., 

Cc: hte.ke, pawn H.;-iteu6atI,\5¥ian; Shv^r, Micheife (CMS/OA) < I 
Motiiqde CO^/OIS] <j||B|B|||i|||[|^H||||H>;. COut5y (CMS/DIS} <■ 

yvaikte, Mary H- don G. (CMs/^ 

SUH^; .fe/QdSvBit update.' — Wjd. wRimextstedf possible? 


Best time fgr my sta it arid .CSi is Friday R(9. 


HenryChad 

Depuly 0O8t Deputy Director, 

Pffice of. information Services 
.CshtersfprMedirmre &Medicaidt Services 
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demonstrating the Online Straamllned Application (tn for her and a select ^bup the week of S/2S. 

We can Include in our trip to vrsit widi VBnzon-TerrCTTsrkmC^pepEFhex-tttiursday 8/8 a visit to CGI Irr Herndon and 
give you a demo, but it would only be you. 

Your choices are then get a demo by yourtelf next Thursdayor come as .part.pf Marilyn’s walk through the week of 8/25; 
Thanks. 

Henry. Chao 

Deputy Chi^InfoiTrtatibn Officer and Deputy Diredor f 

Office of Information Services 

Gentem for Medirare &. Medicaid Services 

TSpOS^rity Bjycf 

BsItimore^MD 21244 



Gan you ^ve me a call real quick? 



Henry Chad 

Deputy Chief tnfotmatton Offkrer and Deputy Director 

Offipe of Information feiMces 

Cfenteti fcr Medrare & Metiicald Services-: 

7S00;Securlty Blvd 

BaltfmOf&j Mb 21244 

■ m 

(BB) 



&j!qeot: kh CMS update - Wetf or Frt next v^k posable?. 


How about Thursday, 8/8, startfrig at 5 pm (brlater)? (Hehiy, we shouW be back fmin Culpeper by then, yes?) 


From: fferris, Mian 

Sent:. Thursda y, Apgu^ 01, 20 13 4’A9 PM 

To; 'h^ry,ch^HH|||||||||; Todd; Sfma5> Davi d M. 

Cc; Mieike, Dawn M.j Gr^baid, Vrviari; ‘Mi^elleSnyd^ 'mdrifqLje,ogfert)ridge 
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From: 

Sent 

To: 

Cc: 


Subject; 


Park, Todd 

Tu^ay; August 04 2033 ^43 PM 

Snydet MicheKe [CJrfVOA^Chao,,Heniy (CWS/OI^^ 

Cputs; Todd Outeix^ge, Moniqlie (CMS/OiS); Kerri James T, 

(^S/CMHPO); Wallace Maiy H.CCMVOO;Bop^^ jpu G.(CM5/00; Rellfy, Megan C 
(CMS/OC);M!eIke, DawnM^Gfaubard, Aivsh 
RE: CMS visft update — Wed or Fn next week possible? 


OK, great, tha nk you I Michelle, should ! call you at your office? 


From; Snyder, Miche'le (CMS/OA) [maiIto:| 

Sent: Tuesday, Augu^ 06, 2013 3:06-PM 
To: Park,, fcddj Chao, Henry (CMS/OIS) 

Cc Cduts, Todd (045/015); Out^ridge, Monique. (CMS/03S); Kefr,.Jan^ T. (Cf^CMHPO); Wallace, Mary H. 
{CMS^OQ; Bodh, jon G. (GMS/OC); RdiV, Megan C. (CMS/OC); Mielke, Dawn M.; Grauterd, VMan 
Subject: Re: CMS. visit update - Wed or W n©ct week posable? 


430 


Sent from rny BiackBerry \%dess Device 


l«m: Paif;, Todd: fmafe 
Sent Tuesday, August 04-^13 12:40 PM 
To; Chaoi Henry (045/013) 

Cc:Snyd©'> Micfeie(04S/OA};.Cout£^ Todd (CMS/OIS}iCHSBrbriC^,^Mw (CWS/035); Kerr, JamdsT. 
(CMS/CMHPO); Vfellace,Maty:H.^C^«^ Booth, 3dn:d (CM5^0G);'Reaty,.MtoC ^GMS/oe)^^fielke,Dav¥^ M., 
Graul^rd, VMarr 

Sufagect: Re: CKS.vfeiit update - Wed or Frf next week pds^fe? 


H^iy, KUnds good -- can we jump on the phone for 5 min today Just to fifialiffi what we shoufddb on thf? front srrf 
W^tl)OaVld/Ju!ian? Michelle, would be great if yoaowld jpipasvv^..^ Would a time between 3:3, OandS'WC^i^oretry: 
anytime after Stoday? Will just bs 5 infnUtes:...Tfianksr 





From: (^b, Hehiy (p4S/01S) fmailtojL 
Sent frideY> Almost 02, 2013 10:41 AM 
tk' paHcriiiSd', . .. 

<Cc: Sny^ MfcM# < i_ 

Outofbridgef Moriduie (CMS/OIS)^ 

>; Wallace, Mary H,(Cl^/C)Qy 

.Reilly, C. (p4§/OC) <I_ 

Spyect:!^: 045 vlslC.update - Wed or Fd nert,w^ posrfb^ 


Tp^ CPMS/OK) < 

(CMS/CMHPO)' 

Booth, Jbn.G, (CMS/pC) 


T6dd> 


I just spoke to Mfchdle and this is the direction we will go based on. her ^ idance." 

Marilyn ivantsawafic thrpughofwhat has been biK4t,.i)asi<^iVlhcsamG thkig you are askfhgforexc^t weam 
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From: 

Sent 

To: 

Cc 


Subject: 


Snyder, Mktielle ^CM^A) <| 

Tuesday, August OE^ 2013 3:06 PM 
Park, Todd; Chao, Henry (O^VCSS) 

Coyts, Todd {CMS/OKlfc OutebrWg^ Monique fCMS/OIS^Keir, James t; 
(CMS/CMHPO); Wsllace^ MaiyH, (CMS/OQ; Boo^ Jon G. (CMS/OQ ReHlyi M^gsp k:. 
(CMS/OQ; Mfelk^ Dawn Graubardt Vwiah 
Re: CMS visit update — Wed or Fri ne)d week possible? 


430 


Sent from my aiackBerry VWrefess Device 


From: Park, Todd i;TOfllD:| 

SentrTuesday, August 06, 2013 12:40 PM 
To: Chao, Henry (CMS/OI$) 

Cct Snyder, M}chel)etO4S/0A}; Cbuts^ Todd (CMS/OIS); OuterfarWge, Monique (CMS^OIS), Kerr, James T. 
( CWS/d4H^);:Wall3<£,.Haiy H. jC mjOQ} Booth, Jon G. (CMS/QC); ReHly, M^an C. (O^ OQ; Mi^e, Dawn 'M> . 

vfvian < i 

Sobject: Re: GMSTlsit update ^ Wed or Fd next week possibfe? - - 


HCTtYT.sounds good ^-^anwedr^ponthe phQneibf-S mlh'today lija to finalize what-we should dd dn-ditstron^and- — - 
v.'ithP3vi(i/juli3n?MichElle, would be great if you, could join as weB..,/Wouid a time betvveen3:30 and5work,.or'3tQr 
ariytinnfi after 6 tdday? WIHjUst be 5 mmutes:^. Thardcsl 




From; CJiao, Hetty{CMS/OIS)i:maite:_ 

Sehb.ItWaft AUgaa 02, 2013 10:41 AM 
To: Paii^T 9 d 4 “ ' 4 
Co: Srte!e*l'«»ielle(CHS/OA3;-s_ 

Outeitridae, .MpnHue (CMS /QIS) <] 

Wallacei, Maiy (CM3/OC): 

Re'iliy, Megan C:.(CM^OCJ <L_ 

So^edt: RestWSvKt VIei orfi1^ne^ i9BA:possi,b1e?: 



»cajfe , Todd (CM^OIS), <■ 1 

■; Ken-; ladies T,£CMS/CHI«) ■; 

; Bootti„:lon;a(CMS/pQ 


Todd, 


I just spoke to Michelle and tHs is the directio n we will go based on her'guidanea” 

Marilyn wantsa waljtthrptigh of what has been bu'dt, basically the same thihgyou are asking ftsr except weare. . 
demonstrating the Online Streamlined ^pilcaticin (in "beta'J.forherandasetectgfoupths wselcofE/26. 

We can include In our trip to visit with Verizon -Terremark In Culpeper next Thursday 8/8 a visit to CSl in Herndon and 
gh'e you a detho, but it would only be you. 


Your choices arathenget a demo byyourself nexflbursdayorcomeaspartcf Mariiyn’swal k through the week of 8/26. 
Thanks. 
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Henry Chao 

Deputy Chief Information Officer and Deputy Director 
O^lce pflrlfpmatJori.Safvices 
CPntefs fer Kiedicare & Medicaid Services 
7500 Sebirity^ BJvd 
‘Sattimore,,M02l244 
(FftJ ■ . 

m 

(BB) 



Ftpm^. Chao, Henry (qM^OIS) 

SentiFritfeyfAug ua 02^ 20i3 10 :13 AM 

To: Todd Y <Todd Y .Park| 

^bjectf Re: CJ4S visit Update — Wed or Fm.ned: we^c possiWe? 


Ga/iypu give rne a call real quidc? 


Henry Chao 

Deputy CWef Information Officer and Deputy Director 

Officeof Information Services 

Centers for Medicare & Medicaid-Servit^s 

7500 Security Blvd 

Salcimcffe, MD 21544 

I m 

f«) 

(w 



From; farlCfTsdiJ [ma8K>;| 

Senfe-rtUrsday-, A ugu'st01.,zpi3.0g;S6.(W.. : 



■; Ch'ad, Ha^(eHS^IS);>Sim3Sj-.D'ayid,M». 


1 1 ; I I iiii>iil I'l ' I G»aubard,. Vn/im r 

Hfcfi*tcWS/0Ari dufeSiy^ Monique (CMSjfOIS); Couts^ToiJd (CMS/OIS)i WaBasJMaty H. (CM^OC); Booth, Jon 

CfHgyisitupdnte -W^pjRt’next^elc'po^e?: ..'■}} 

HowabdutThursttey,8/S,slartingatSprrt{prtater)? {Hcn(y,w6 should be back from Culppfjer by ibPrt,y&?y ' ' ' : ; 


From: Hams,^0uifan- 

Sent: Thusda fc Au0UStPl, 2Q 13.4:'}9 PM 
To: 'hetirfccha JIM^^— rPark. Toiici} Staas, Davi d M. 

CiS: Mtelte, Dafe_M,>:<SCTt iyd,- ynJOn,' 'Mi chi^feSnYdefi 

Tpdd.Ctiut^HHi^Hi ’h^n'-W^acoHiilHiK I 

SibiscG R® ^WSAifsittjpdate ~ Wsfor Fti ndnt week poSbfe? 

I'm unaviailable on Friday. 


From: Qiao, Henry (CM^fOlS) f meato:! 

Sett: Thu^day, Ai^Jst 01, 2013;Ot:27: PM 
To: Park; Todd; Harris, Julian;SiniaS;.DavidM. 

Cc: Mfeike, Dawn M,;.Graubard, VMan; Snyder, Michelle (CWS/OA) ,< | 


s; Outerbridg^, 
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From: 

Sent 

To: 


Subject 


T^anner, Marilyn (GMSjOA) <| 

Thursday, August 1 % 20i5 1020 AM 
Park, Todd; Snyder^ Michelle (CMS/OA); Chao^ Heriry (CMS/OISO 
Khaild, Ary^a C (O^S/O^ Cavanaugh, Alicfe A (tWS/OA); MUler; Ru^ A. (CMS/OA) 
Re: CMS wsit update — Wed or.Fri next week possible? 


! am onvgcatton nextweek; We can do the walkthrough the "we^ of SeptSfd.Aivana and I wilt join. AJlda and Sam can 
coordinate. 


Rx)m; Park, Todd [maBt£j:| 

Sent Tue^ay, AiguS 2013 07:07 PM 
To: Snyder, Mrdteife (C^/GA); Chao, fteify (CMS/OIS) 
Cc:Taveriner,.MariEyn{O%/0A): tt- 
Subject: R&. CMSyfelfc update — Wed or fti n4ct we^ ppsitte? 


Hi Michelleand Henry, one addsdonai note (and looping Mar3yn oti this as wdl)' if possible, Tara McCuinrtess would: 
like to join Julian, David Simas, and me on ■toewalkdiroMgft'wIth MarSyn^'and Chris Jimnlngs l.ikely will as well. 


It should all happen at the same time Marilyn dees h£^ walkthrough, soas to ecOTomize use of CMS time.. 

Anda .cfete constraint David.Stmas wilt be out starting tomorrow through August 27, so, if possible, it would be great for 
the'Wfflikthrooghtohapp'ehAug28T3r}ater. “ 

When you think you know a date or possible dates, please let me toow> and we^ll get folks lined up here to go to 
Baltimore. 

Thanks Very muchl 
Todd 


Fromt. Park, Todd , ^ 

SentsTugsday, Aug ust 20, .2013. 9: 14 AM ' 

To: ’M!chelie.Snyder||B||H|||T’fisnry.cHaoHBm 
Subject; REt. CMS visit update Wedorfti next week posable? 

KlMichelle and Henry, one addfttorial thought yras wdride^gif lrnightbe abietp dr6p bysdp)e eydhif^tHTs>.^^ 
a few niinutes to say .hi to thetech team {wHorrieyer might be around. at d^at partibufar,.iTiornent}, .bring.them cookies- 
.(literally), and iustiaythanfcypu for the massJyeefforttheY,afeputtihg1n during dlls hofne stretch, i.ean only .imagine 
how crazy/intense ft.mustbe tf^t now and just wanted to! comeby fdea.few minutes td^y thank you.' And since fll 
only be riskingmy own. life, 1^1 be.delighted to .drive .mys el f to and fnom Baitimorelo.doso 'i^uld jt.fae Okto drop by 

this week? 


From; Paii^ Todd 

Sent Mpntfey Augt i^ Ig, ^13.73 PM 
To; Mich4le.Snyd^J|§j|BiJ||; ^henrv.diao i 
Sutgeeb Re: GMSths^ update ~ Wed pr F/l next possible? 


HI Mtchelie andH^ry, 


Michelle, hope Santa Fe was terrific! 

l 
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Two quick qu^ions.' 

1. With respect to the walkthrough vdtft fylarilyri (Vl(Wfc^i jujiarv ahd. I would join)., any update on when this will 

happen? Just want toget'tafendars afign'exJ..;. 

2, Henry, might you have 5 min In ihenext few.ifaysto chat'a&cRita cybefsecurity Question? 1 t^chat in the evening 
any time If that fe more convenient for you-*. 

■Rian k£ so much, 

Todd 


From: $iydeFj fdlchelle (CMS/OA) f ma[ftQ:| 

Sent: y/eine^^,.Augus^ 07^ ^i3 09:^0 AM . 

Dawn Henry (CMS/OIS) 

>; Sihias, Ddyid 


Cc; QkiteMj 0 ufebd dge. Morgue (OI^QIS) <|^ 

^lllllllll^^ Wallace, Mary H. (CMS/OC) <| 

CMS visit update — Wed or Fii next w^k possiWe? 
Works well fer GMS 


Coiits, Todd (CMS/OIS) 
^ooth, JonG. (CMS/bC) 


Michelle 


Sent horn my BladrBerry Wireless Device 


ftTom: Parii^ Todd rmallto: 

Sent: f uesday, August 0^ 2013 psat PM 
to: krfetifi <1 


DsvldM. 

Oc: Graubanl,Vivran< l 

Wallace*. Mary K.(CMS/OC);.Bpc^ Jon G,(CMS/OC) 

Sutdect; ftE* visit update - Wed' or Fii nekt vyeek. posstWet - ' 


Snyder, Mlchefe (CMS/OA); M)elkB,,p3wn,M. 

|£^-tldfri% . Chap, Henry (CM^oi5)'*.^mia5', 
jArnst^x^yidreaE (CM^CV^) 

; duferbiidge/ Monk}ue(CMS/OIS)^C.a4t5,;T^: CP^S/O^); 


HI fearn; here's apropos^, ^meplan/whl^ should ho^^fly ease the degree of schedt4tng drff5c^|i^ Involved here a,nd 
also ensure we make Judidpus use of CM3bandwfd^^^^ 


1.:. Tdarh CMSis pfanhlngfq WaikiVlarifyn tfirpUgh the i»nsuimef experience and wb'fkfld Wat- some point In the Aug 
26^25 date range f propose that:Davfd, ji4ian, and.IjiMh Maifvm for thatv'i'allcih^ CMS rnay host this 

walkthrou^ Trt theCiJlombia command center, In wHch casS; we'd get to check thif out aS'welll Though' we 
have to pnprhfse notto . touch anything fn the corhniand center © 


2. SGpar5t^y,.JUiiahwnu)d vislt. CMSMBaldmora to get'up to speed oh arange oftoplcf he would like to get.up to 
speed on, Includlngthe iat^ with respect to. Maike^lace r^ It Ipc^ fcjhe yreek# Aii^u^ 19 wouldbe.a 

great week fQrthis(MfcheOe Shyder;isquE,next week). i,sugg(^,th,at arid ^^'WQdc-.to put.tpgether an 
a^nda that would be best’ for Julian, based on what Juliari already knows h'e'Waht^to cover arid add^^ 
topics CMS would suggest Julian co^«^ as weft. This yiatan.be Julian solo, wkhput .Dwidand m&. 1 wodd very 
much like to golf} can, for the Marketplace section of the day En particular but.don'tletmefae a scheduling 
bottleneck. 
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Subject; CMS Matltefplace walMicbugh 

Date:' Thu Aug:22^2Q13 14*9:19 EDT 

Attaohments: 


Hi Oavki, Julian,. Tara, and Chris, 


To follow up on CMS hosting a walkthrough of the Marketplace customer experience - Marilyn would, 
like to host us in Baltimore for this the week of September 3. Alicia Cavanaugh wil! coordinate. Please 
1st Alicia know if there are additional folks you'd like to bring (Julian was interested in bringing a cbiiple 
of additional folks), though we should try to keep the total number of people pretty sniall, 'tf possible. 


Cheers, 

Todd 
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From: 

Sent 

To; 

Cc: 

Subject: 


Sini?^ tJayld M. . - • 

Wednesday, &ptembtr 11+2033 7:50 AM 

'MariiynJayennerllllllimHH 

'j^ana.l(ha!!cf||||||[|||||||||^'PdH^ToddrLambmv,Jemh^ 
.'Mda.Cav^naughi 
Rs; demo this m«ning 


Makes sense. 
ThanksMarilyn., 


From:T3venner, MarS^ (CMS/OA) F 
Sent: Wednesday, S^tember 11, 2013 07:46 AH 
To: Simas, David M. 

Cc: Khaiid, Aryana C. (CMS/GA) « 

{CMS/0A5 < 

Subject: d«tKithfe morning 


>; Park, Todd; lambrew, Jeanne; Cavanaugh, Ak'da A. 


David-wanted to make you aware that for your demo -we will be. working from a demo pfatfprm and.npt ‘live" on ^6: 
system..,~we did ^'rp/e" on the system last week fw the larger group -but rfrd not want to take the system down today for 
demo purposes for you.or the Secretary as we have ah entire team vw>riung in.Her'ndo.h indud.lng alpha testersj.„it wll 
look and f^l the same but wanted you to knowr.-„just sent theSecretafVthesama.message.;,thariks and lookforward 
to Seeing you shortly-”Mari!yn 
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From; 

Sent 

To: 

Cc 


Subject 

David-wanted to^nake you aware that for your demo -\vewUl be vwariung from a demo pfattorm and.rrot nive" on the- 
SYStem...,.we did 'live" on the system last week fbrthe lafg^ group.-but did not want to take liie system down today for 
demo purposes for you or, the Secretary as we have ah. entire team workings Herridohindudrngalpha.teste.mwv-it will 
lookandfeel die same but wanted you to toow.«..^.stsenttiie.5ecretaiYthesamemessage...thanks and fookforward 
to seeingyou shor1iy.^.Marilyn ^ 


Tavenne.n Marilyn 

Wednesday, September lX-2dI3 7i47;/W . : 

Stmasi David M. ' ' . . 

Khalid, Ary^a C Pa^ Jodd; Lambrev.’i jeanne; Cavanaugh, .^ida.A' 

(CM^A) ' v/'^rV r o . 

demo this morning 
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From; 

Sent 

To: 

Cc: 

Subject: 


Tavenner, Marilyn (CMS^^A). ■ 

Tuesday, September 24j .3013 327 PM 
Park Todd; Snj^er, Midielle (CMS/OA) 
Ghao, Henry (CMs/oiS) 

RE; Herndon Informa^OT^stiuctfons. 


Yes I am very frightened l.l 


From: Park, Todd 

Sent3 Tuesday, Sefftemb©' 24, 2013 3:23 PM 

To: Snyder, Mid^e!fe:(CMS/OA)} Tayenher, Marilyn (CKS/OA) 

Cc Chao, Henry (CMS/OB) 

SuIq«A: Re; Herndon Informalfon/Insirucdons 

Will absolutelydbay all instructions v/th predsionll And really; looking fohvardto the visit — and more than anything, 
thanldfi g everyone from the bottom of our coHecttve hearts for the trufy inaedlble work they are doing i) 


From: Snydeg Michelle (CMS/OA) fmailto:! 
Sent: Tiesday, Septerhber 24, 2013 02:42 PM 
To: Parf^ Todd; Tavenner, Marilyn (CMS/OA) <1 

Cc: CtBo, Henry (CM5/OIS) < 

Sutgect: Herndon Informatiori/Bi^njctjons 


1 have requestetfthattlie security cameras at HemdOT be loaded with facia! recognition softwaresot hat.lf either of you 
wanda- Into a restricted area armedwith a set of questions alaims will sound. Henry has been tssueda government 

laser jfthe v^sit extends beyond an hour or If Todd looks fora later ride home ...that ought to scare both of ■ 

you... .Henry, armed end dangerous ©' 


Enjoy the visit. 
Michelle. 


A Michelle Snyder 
Oiief Operating Officer 
DHH$/CMS/OA 
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From: 

Tavenner^ Mariivn: ICMSA5A1 

Sent 

Tuesday, September 24;.^13 '6i3S PM 

To: 

Snyder, Mitheiie (CMS/TW^ Part; Todd 

Cc: 

Chao, Henry (CMS/OIS) 

Subject: 

Re: Herndon fnforTnatioiV&istnJctfcwis 


^ kept Todd under contrDi{weji sort ofj. Henry tliahksfora great ■ws|tl!l 


From: Snyder, Mfcheiie (CMS/OA) 

^nt: Tuesday, Sept^tfer 24, 2013 PM " 

To: Park, Todd Tav^na', Marifyn (CMS/OA) 

Cc: Chao, Henry (CMS/OIS) 

Subject: HaTidon Xnfonriation/lnstnjcttons 

i have requested .thatthe security cameras at Herndon be loaded with fadal recognition software so that if either of you 
wander into a restricted area armed with a set of questjonsalarmswill sound. Henry has. been issued a government 

taser if the visit extends beyond an hour or if Tocfd looks for a fatecride home .that oughtto scare both of 

you..... Henry, armed and dangerous Q 

Fnjoythe visit. 

Michelle 

A. Michelle .Snyder 
Chief Operating Officer 
DHHS/CMS/pA 
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From: 

Sent 

To: 

Cct- 

Subject 


Hi Todd, 

1 am out next week so probabfy the week after w# wwkfbr me; 

As for issue around fogos. I'm not sure you have the con^ete scoop tHit! suppose this issue got to you because people 
cant accept that we can't do this as easily as orie mlgjit'tbl nk and thefallout horn catering to the Blues (as opposed to 
theAHlP members) wHI tr^le.the, confusion and. cause moregiefthan we can handle. In addition because I have looked 
at this carefully along with Mary, Wallace, Jon Booth, Jhn Kerr, Mjchielfe, an' d our developers (and Includlngthe BCBSA It 
leadsthat think It's as easy as' ifianging colors on a webate), if you twist my arm and make medd magic to render logos 
correctiy for 100% of toe QHPs In millions of plan compare results where I have to.map/TTn k to, a data source outside of 
HlOS^weil, it would lust make a liaroutofmeforsayingnov^^iensomeonecanmakemesayyes. 

ft you want to talk about this then call me any time, if we’re gpfog to talk tagos at this one ho ur catch -up session it will 
then not be a great use of our tsne and may get me mtomore trouble because no one will believe me anymore because 
I hold the line on sometoing toat in the grand scheme ho one would really want us to tradeoff for more risk. 

Thanks for understanding. 


Chao, Heniy (CMS^^ < 

Tuesday, June .11, 2013 &29PM 
Park, Todd 

Graubard, Vryisn; Snyd^, Michele (CMS/0^ 
Re; Sync-up 


Henry Chao 

Deputy Chief Information Officer and Deputy Director 
Office of i nformatlon Services 
Cfenters,for Medicare & Medicaid Services 
75O05eoufltyBVd 
Bafti(nore^.MD 2124$ 

I {Pri) 

(Alt) 

m 



Rroih:P^ki.Todd rmaHtol 

Sent; June 11,-2013 07:52 PM 

to;Snyd#>Midiell9;^C:^7dA); Chao^ Henry (CMS/QIS) 
CeP T^s^nerf-Maril^ (OMS/QA)'; Va nTfoekeb Steyeri 
lyndi, Laura <| 

SubJecSjjSyncHJp 


>; Graut^rd, Vivian 


HI Midielle and Henry, hope all Is terrific with youi 


As you've heard from Marilyn, would love (with Steve) to arrange time(l hour) in the next we^ or week and half to 
check in ori how tolngs are going with respect to Marketplace TT dev and testing. {And also to discuss the tactical 
questiorvof issuer.logos). Would love to arrange a visit to Baltimore, but given how crazy schedules afe> t'm guessing 
that a videoconference or conference call would be more feasible. 
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We don't need any special documentation or whatnot. Just you © If you havesomething that you've already put 
together for another purpose that you'd like to send, great. 

May Vivian and Laura work with your office to set up a time to chat? — 

Cheers, 

Todd 
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From: Graubard, Vrv?an 

Sent Friday, June .28, 2D13 S54 AM 

To: Chao, Henry (CMS/OI^Paric, Todd 

Subject RE; Follow-up 


Le^s gQ My 4-8. Does that still work? Does anyone elsa from VW need to join ? 


Thanks, 


From: Oiao, Henry (CMS/OIS) fe 

Sent Wednesday, June 26> 2013 11:16 PM 
To: Parity Todd 
Cfc: Graubard, Vlyian 
Subject Re: Fb!taw-up 


Todd, 


For planning purposes I am blodcmgthe fo1lowi'ng,dates and times. Let me toow which worksfor yju. Thanksi 


Monday July 8 Spm to at least 9pm 
Tuesday July 9 4pm tg at least 8pm 
Monday July 15 5pm to at least 9pm 
Tuesday July 1£ 4pm to at least 8pm 


HenryChao 

Deputy Chief jnfo.nmation Officer and Deputy Director 

Office of (nfbrm^lon Services 

Centers ftr Medicare & Medicaid Services 

■^<Kl,Seairity BMd 

Bslttnj6re..MD 21244 

I m 

(Alt) 

(SB) 


FfonttPafF^ TOdd rmallto^ 

Sent: WKlnesddy,. June 26, 2013 05:34 PM 

To:Ta.yerinejR,Manlyn (CMS/OA); Snyder, Michelle (CMS/OA); Chao, H«iry (CMS/OIS) ' 

Siiyect: P^tow-up 

Hi Marilyn, Michelle, and Hen ry. 

After talking with Henry and team, 1 spoke with Mark about the logo issue, and eyplalned why attempting to add logos 
for October 1 Is GJttremefy unwise. He understands. He may want meto get on the phone with someone from the Blu ss 
so they fully understand it. I’m more than happy to do so on your behalf this issue should not consume any more of 
your time. 
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From: 

Chao, Henry (CM5/QI5) 

Sent 

Wednesday, June 26, 2013 152 PM 

To: 

park Todd; Snyder, Michele ^CMS/pA) 

Cc: 

Kerr, Jaiu^ T; Wafe. Masy H: {CMS/OQ;'Outerbndge Monique 

Bdwhj, Marianne 

Subject 

Re: Draft writeup 


Here’s the wffte-up* I'm sending and ojpyihg those who ^re key to supporting this assertion. 

Attenpting to Integrate logos into the FFM for Ociot^ % 2014 fe riot possible with less than 1CH3 days Jefo This is not 
because the "ifoncept!!’ of Integrating a logols by itself adrffioultthmg to do. In reality and practfe it^shot possible at 
this point because of Inter-dependedes with other processes, tfie already underway testing process vdth dedicated 
test data, sdiedufe/ladc of time, and resource constraints. Spedfis are: 

■jhe operadonal-execution process of acquiring logos requires ODorcHnation with NAiC and their SERfT system- 
ance ksuars In approximately 11 or so FFM states submit thdr data through the SERFF systerh a nd not directly to 
HiOS Ithls was a poHcy decision made late last summer). Any change In how Issuers submit data and how it ends 
up as part of the FFM operations requires coordination not just with Issuers but also with NAIGand theIrSERFF 
develcpment and operaticxisteam. 

ThelogO'byitselfmay becorisidered^S‘a'simpleirrialeobjfict;buf IhTeWtyls'stilia'piecFordata'^at'neBdstoSe 
managed in a structured and controlled manner in ord^ to display it pifoperly each and every time. If the 
Logo/data vras notfactored fn the design of how d^a are submitted as part of the QHP process, that means, it 
has to done In. a "one -off*^ manner outside of tiieestabrished automated procKSes for Plan Compare ^ Outside, 

of the auforhated prcKSss wHI mean the abil ity to attach '^e correct logo to the right rpwprcblumRof Ptart 
Compare resu.its (rendered literally mllilonsoftimesfrpm consumers constently requesting cpmpare.re^ltsfor 
iheIrTnpwr to appreciatethe volume of transacticmsjustthink In terms, of, cori. sum eft sesln^t^pph'sestothelr: 
search when they pnavide input to. Priceline, ^edla, Travetoa^, eto. exce'fj iri.fe .cas.eft?5fn‘UWf^^ 
number of ronsum.ers their requests to compa.re p|ah§)..^ ■, ■ ^ V ; 

At tills time amidst the rinalsteges of working with iKiiers, D01s> and NAlG to finalize a validated set data 

nationally July Sil, 201^, .aiterlng HIOS, getting NAIC.tp alter SEI^,, and.woriclngwitbksuers thst-ip^y or 

not ybluni^itly submit fe'not feasible and ert dangers th$ ability to stay ori’scHedulg: Cdiie^ng.ahy 

additional data fwm fssuers; via tornplab^ prsorne otfierproces, IdasJ.ing these data either ^irfctly 'info thq.HipS 
system !or'outs).de tiie-HidSsy^mfn a.nianuai!yeStilished!^te;5tD yafetihjg the. date., 

NAl G SEF^F sierid til e n.ew fpgb data. separately QHP date to and haVIhgJthb te^hg eni^he r apd 

ren der that data when the F^d d^lgn and build process has, been locked tJ.qwn and Wfi;.are Ih the niiddlG of 
cruhctKirhe between now to October 1, would Introduce rfgnlfitent nsfe to eettihg tiie FFM ftindamental . 
capabSIties In place for open ehrbllment. Think of h as trying .td diapgete ^ac In an airplahe'^glpe.ln mid ■!> 
flight. Oraddlhg a new ffeW to.a.hlRS fax form in themi ddfe of filing seaspn, .fe an isipted act wifoout the 
constrafhtsofsdiedu{eahdscx3pe,addingthedatajsn*timpossifale. What's imptft^le is the notion of adding it 
to the tax form via a sy^em modifiitetidh when that systeti is golrigEhrbiigh ahJntehse tirne^ wkh a, fof of moving 
parts involved, and where a wror^ mwe could actually screw the whole system up and in the case of attempting 
to add a logoand screwing that up means we vvill adversely Irripaqt enrollment arid the consumer experience. 

There sxiststhe notion that as an alternative to digging the core' plan data submissipn/management process 
arid systemis {i.e., modifying the cSfrierplan' data templates, HIOS, the Q.HP datebase, and fating engine logic) 
would be to set up a separate database of to gos outside this core data and process already jn place with QHP 
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ajbmisslon In conjunction with NAlC and ha\^€ ^ FFM systwii when rendering a given {ssuer's Q,HP product, 
pull separately from both the QHP database plus the fogo database and then °joln'^ th 'e results arid dl^fey.to the 
cori^riWv Thrs Is a terrible idea technrcaily;, would be e^em^y prone to error, and:rtii! creates the issue of' 
mucking with the jet engine whileJfs irtfllght.- 

The current commitment to the scope and denyeiy^ej^ule to make October 1, 2Q13 Is locked down in terms of 
committed hours from our contractors; Anv^htng thatwds not part of scope means we have to negoriate across 
the boand With crilO# CMC5,OQ arid our cbritracipis'to find hbure totake away and rerammrttothi s effort 
there are no available hours at this pointtofreely use as commitm^ &rise that were not planned months In 
advance and frintfed as part of a contract. 

The right way to add logos to the FiFM would be to cnodifythe core plan data submisslon/managem ent process and 
systems to Include logos as part of toe Issuer QHP productt^piates and be aWe to proce^ logos In an automated^ 
structured, and hjgfr pr^islbn all. the Way through* Tfris is not'ppss^le for pctl;.20i3,witodutJnh-odudng^grufrcant 
opirational risk to the go-ifve,^ as discussed above. Wesuggest considering it'aspait of afritareraleasejpc^ Octoberl 
understanding that It will have to ODmpfite with a lot of (wicH-ttiesL The reasonable thing to do would be to target 
making tWs fnc^iflcatlbn In time tor the riext cycle of plan bldsin 2014 storting with, toe Payment fjc^cefor 2015 that 
will be released In the March 2014 timeframe and fogos can start fToWirig m as part of QHP submission In the J une -July 
2014 timeframe. 


K'enry.Chao 

oepu^ ab S Deputy Director, 

O^ce of Intormation Sevi^ 
CehterstocMedfcare & MedfcaidService5 



FnjmrTodd parfc< 

Date: W^,'2S 
to: f^chelle^^ydep < 
Suhiert; BE; Draft writeu p 


^^.HENRyCM^ 



Afremptingjtd htegratelbgds.fritothe FFIVT torOctbbec lis nbtadvitoble. This rs not becaOse.the apt ^ Integratihga' 
logo.is it^lf.a.dlEfrcijlf. thing to'^o. iVs because. the proc^ torcpiecting healto f^an and^prpduct data from carriers 

viateto^ates, Ipadfrig.tb'ese'data into the "HlOS ^stefru validating ■fransreiTTnglhd'data from HfOSinto toe FFM 
C^P d3taba», and haylrig the rating engine retpieve and render, data intheFFMlhas been %ked;dowj^and.fa 
.bBirig.ut]lize4to 5uppprC plandato cb.llect»csi/yan4atfori and'5ystofn;testirig as we speafc Char^rig tod underl^rig plan 
data template arid processing routine right now by adding a-fiewplan'data-eletnent, the !o^’ ~ cbririg the Cfvnchrttme 
sprint we're in from now to O^ttpberl, would, totrpdqte Significant risk. toinkofitastrying-tQ toangaageartnan 
airplane ehgln.e.fn mid-frf^, Or adding a jiew ffeldto an IRS tax fbrm in the middle of Rlingseasbri. As an isolated act, 
adding the fieTd.isn’t harc^. Vyhads hard Istoe notloriof adding it to the.tsx form via a system m6dificatiDh;when,toat 
sysem Is got ng thto^gh ah intense wito a mpvlng parts involved, an d vtoere a wrqnginpve;po uld acfrl^lfy 

screw'.the whole systern. up- 

M aftemativo to.toangrng the ctore pian da.to submisrfpn/maiiag^enf process and systems (Ive., modifying the carrier 
plan data templates, H10S,.,to®QHP datatese, and, rating enpne JogicJ would b^toset up.a database’ of logos outside 
this core.data rnanagjsniept proce^.and have the RHVi systom^whw rendering a gfyen ptoduct, puilfrorn 

.lx3tothe.Q>ip.4stobaseplastoe-tegp,dato.base. TT>is|sa.temitfleittea.tetonTca%.Wou!dbep,ror[eto.e'rorfand5tiii 
creates the issue of rriuddr^ 'wito toe jet erigine while tfsin flight 
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From; 

Sent 

To; 

Cc 

Subject 


Tavenner, Marilyn 
Wednesday, June 26, 2013 5:56 PM 
Park, Tr>dd:5nydH; Miche3IefCMS^A);'OiaQ, ITemy "(CM5/015) 
Khaiid, Aryans C (CMS/OA) 

Rei-FpIlpw-up 


Thanks Todd. Appreciate the help as alwayslUl 


From: Park, Todd rmailtoj 

Sent Wedn^aw.June 26, 2013 05:34 PM 
To: T^enner, f-larilyn (CMS/OA); Snyder, Michelle (CMS/OA); Chao, Henry (CMS/OIS) 
Subject.' Rd!1ow-up 


HI Marilyn, Mfdifille, and Henry, 

After talking with Henry and team, f spoke with Mark about the logo i^ue, and e)cplamed why attertiptirrg to add logos, 
for October 1 Is extremely unwise. He understands. Hemay.wantmetogetonthephorje withsomeonefro m the Blues 
so they fully uriderstand it. I’m more than happy to do so onYour behalf tfris Issue should rjof consume any more of 
your time. 


Manlyh, rrh' also goifig td'wsit wth Hehiy ^’d team for one of du'r ev^lhg deep -dive sesslohs to getTip to sp^ed on the 
latest status of IT and testing duringthe weekof July 3, Michelle, Henry, and! hada check-in call today, but 1 think 
that Henry Isjlght that to really understand current status and next steps, there Is no substitute for an evening deep - 
dive. So ill bring healthy food and snacks to Baltimore and camp out with Henry and teairi for a few hours © 

All the best, 

Todd 
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The right way to add logos to the FFM would be to modify the core plan data submission/management process and 
systemsto include logos as part of the carrier plan/product tern plate and be able to process logos ail the way 
through. This is not doable for Oct I'wlthout Introducing significant operational risk to the go -Ifve, as discussed 
above. We suggest considering it as part of a future release, post October 1 understanding that it will have to 
compete with a lot of priorities. The reasonable thing to do would be to target making this modification In time for the 
next cycle of plan bids, in 2014. 
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Prorru 

Sent 

To: 

Subject 


Snyder, Michelle (CMS/OA) < 
Tuesday, June 25, 20l3 S:48 PM. 
Pari; Todd; Chao, Hanry(CMS/OIS) 
RE: Draft writeuo 


Looks 


A- Michelle Snyder 

Deputy. Chief Operating Officer 

DHHS/OWS 



Rwti: Park, Todd fmailtorj 

Sent! tue^yy Juris 25, 2013 1:13 AM 
To; Chao, Henry (CMS/OIS); Snyder, Michelle (CM5/OA) 
Subject: Draft writeup 


Please ke^ dosehcrfd loop in folks who can help wfth the details, but don't circulate broadly yet, if you don’t 
mind, Let me know if this sourids right any correcb'bns/edits/addrtions/deledons welcome: 


Attempting to integrate logos into the FFM for October lis not advisable, • Thls isriot because the actof int^ratlng a‘ “ 
logo is by itself a di.fficultthjng to do. It^s hscause Reprocess for collecting heal^ plan and product' data from carriers 
via templates, leading these data into the HlOSsy stem, validating the data, transferring the date frpmHipS into the FFM 
QHP database, and having the rating engine retrieve and render that data in the FFM has been locked down,. and is 
being Utilized to^support plan data collection/validatioh and systern te sdng as we speak.. Oisngfng-flie underlying plan 
data template and processing routine right now «- by.sddinga new plan date element, thebgo -.during the cruncH-tirru 
sprint we're in from now to October 1, would introduce significant risk. Think of itas trying to ohange a g^ar in an 
airpiane engine In mld'fllght Or adding a new field to an IRS tax form In the middle of filing season, an Isolated act, 

adding the .field isn't hard. What's hard is th e notion of adding It to the tax form via. ,a system, .modification' wheri that 
syfi'em IS going d^rough an intense time, svith a lot of moving parts .involved, and w'herea wrong move Could artiiall^- 
screw the whole system up. 


An alterhatlve to changing the core plan data submisslon/managemeht process and system s (lie., modifying the carrier 
pJan data templates, HIOS, the QHP database, and rating engine logic) would be to set up a database, of logos .outside 
this core data management process and have the FfM system, when rendering a grven.tnsurarice product^ pull fr om 
both the.QH.P. database' plUsthe logo databa^. This is a terrible idea tech'nlcaiiy, would beproneto'enpr, and still 
creates the Issue of mucking with the jet engine while it's in flight 

The right way to add logos to the F.FM would b.e fo core plan date sMbmissioh/mahagement fj^cess and 

systems to include logos as part of the, carrier plan/product tempi'afe and be.abie to process logos afl.the^way 
through. This is not doable for Oct 1 widiout introducing significant operational risk to the go-live, as discussed 
above. We suggest considering ft as part of a future release, post October I understanding that it will have to 
compete with a lot of priorities. The reasonable thing to do would be to target making this modification In time fort he 
next cycle of plan bids, in 2014. 
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From; 

Sent 

To: 

Subject: 


Jennings, Christopher 
Wednesday, Juiyl7, 2013 S33 PM 

Pari; Todd; Childres^ Marig n^r^yn.tav5nnergyy||y|||||| Jeanne 

RE' BC8SA conversation upd^ 


Thanl^Todd This b jTelpfu1JnforTnati<^forj')e t^know be^seS)© plans always appealing tiling, .Haying said, as 
per usual your standing with these folks goes a longi/way to acceptance. Look fonva rd to getting together. You will be 
hearin g irom m e to get on your schedule shortly. Thanks for all. 

Chris 


From: Park, Tcxid 

Sent: Wednesday, July 17, 2013 7:44 FM 

To; d^ldr^, Mc^k; rrarihm.tHvennei| ^^gBgJ| Lambrew, Jeanrie; Jennings, Christopher 
^bjecb KBSA conversadoh update 

Hi Mark, Marilyn, Jeanne, and Chris, 

Spoke with BCSSA this rhdrning Justine Haridelman, Bill cyioughlin, and Jeannette Ekh, 

Was a very goocf (tonversabfonr' i expla ined that we' wera'100%‘'suppofriV6'cl adding logosTbTft tHaf dolhg so for DiSdbef 
1 was vejy-high-risk; and explained why in detail . They said that they understcxod and ttiey very nitich understood ttie 
Importance of focusing on mission -critical core operational execution to support a successful October 1 go -live, whldi Is 
In everyone'^s best interest. 

They asked aboirt whether logos mi^t be doable for Nov or Dec. j said that we could , definitely .do logos for the next, 
cycle' of plan bids and data submission In 2014 (March-2014 notice, QHP data submission in June/Jiily 20l4), and that 
this would- be toe logical time to dp ft. Oping logos, before then would, require out -of-cycte plan date 
submlsslon/yatldatlon/retrlevai/presentation work, andfortheimofe, toatwe.shou1dexpectOct2oi3, -j,an-2014tobea 
very, very busy tlme'as weexecute improvements to the cpre op^ticm based on what we fearn postgo-liva and as vve 
develop, test, and deploy back-end modules to power finandal management and plan payment beginning in Jan 2014. 

ft sounded like they understood this as well. They appreciated thatvi/e were varysuppcirtlve of doing logos, .and 
appredated the need to focus on core ops/iT execution in toe near -teiTT). , 

As we discussed^ 1 interwove into the discussion our desire to start oni^ing dialogue between OylS ahd Issuer ops/tech 
people A&!^, tocoordina te, test^ and prep for Oct 1. I also said that we were very, supportive pf the of having 

issuertigerteamsandour Marketplacs Ops Center collaborate closely £wi and post Oct 1 which would baa natural 
outgrowth of the CM5-issuer ops dialogue we start now. 

They were very enthusiastic about ti^s, and said that it dosefy mirrored, their.own thinking as well they have actually 

worked on.reoDmmendations for Hqw to pro.ceed vwth issuer-CMS i^/tech collaboration,, whidi th^l! beseridirig to 
CMS shortly. 1 said toat CMS would be reaching out to Issuers ASAP as well They said that getting started ''’tomorrow" 
with dps/tech dialogue would be ^eat, that this collaboration would be a key success factor, and that W'e're all on the 
same team. 

They'll report back to th^r board on the logo issue — and will also let toe board know about our desire to engage In 
ongoing collaborative ops/tech diabgue and work. They said.that their board would be super-supportive of engaging 
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Tliey were very enthusiastic about this, and said that it dosely mirrored their own thinking as we!l they have actually 

worked on recommendations for howto proceed with issuer -CMS op/tech collaboration, which they'll be sending to 
CMS shortly. I said that CMS would be reaching out to issuers ASAP as well. They said that getting started "tomorrow” 
with ops/tech dialogue would be great, that this collaboration would be a key success factor, and that we're ail on the 
same team. 

They'll report back to their board on the logo issue - and will also let the board know about our desire to engage In 
ongoing collaborative ops/tech dialogue and work. Theysaldthat their board would be super -supportive of engaging 
asap in closer dialogue/codaboration. Hopefully, the board will understand what's logical to do with logos as well 
Justine and team said thatthey^wouid articulate.thc.context and.expJanati.on, and said tbaltheythoughttbe board 
would understand the need to focus on mission -critical work In the near-term. 

Please let me know if you have any questionsl 

Cheers, 

Todd 
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From; 

Sent 

To: 

Subjecfc 


ChHcfress; MaHc . 

Wednesday, July 1?, 20H 10 ^ PM 

Far^f Todd; lambrew, Jesnne; Jennings^ Christopher 

Re:BCBSAeonye^6bn ijpdale 


Thx vmuch for doing that todd 


From: Parl^ Todd 

Sent: Wednesday, July 17, 2013 07: 44 PM 

To: Mark; mar^L^ygin^BBHBIIH Lambrew, Jeanne; J^ning^ 

Christopher 

Sulgect: BCSSA OKivarsSon updaba 
Hi Mark, Marilyni Jeaiine, and C^ns,. 

Spoke viftth BC65A this morning Justine Handelman, Sili O'loughRn, and Jeannette Ekh. 

Was a vary good conversation. 1 ^plained that we were. 100% supportive of adding logos, but that domg so for October 
I was very-high -rlsl^ and explained why in' detail . They said that they understood and they very much understood the 
. importance offocusing on mission -critical, core operational execution to support a succesrfuj October 1 go -llve> wHIth is 
ir> eveiYone's best interest. 

They a^ed about whetiier logos might be. dpaWe for Mov or Dec. I said that we could definitely do logos forthe next 
cycle of plan bids, and data. submission in 2014 (March-2014 nc^ice, WP data submisaon in June/July 2014J, and that 
the wotifd be the logical tkne to do it. Doing logos before then \void.d require out K3f«cycle plan.; data 
subm|ssionAQlidation/retrieyaI/presentation worlq,.andfurtherTriore,thatwe should e)^ act Oct .2013 -fan 2014 to.be a 
very, .very tMsytime as we executeimprovements to the core operation based oh what we learn post go -IVe and as we 
develop, ..t^ti and deploy back-end modules to powef finar^^al management and plan payment b^hning ln Jah'2014,, 

It sounded like they understood this as well. They appredated titafwe were very supportive of doing logos, and 
appfecfafed the need to focus on core ops/lT execution fo: the near -term: 

AsWe'distussfed* i Interwove Into the discusslon ourdeslre to start on^inig. dialogue between QviS and.Is'sver'Ops/tech 
pecpfo’^^P, tOx^rdThafo, rest, a Kf prep for Oct 1. t akosald that We ^^reyefY-suppo;^ 

Issuer-tlgerteams and.pur JVlarketpIace Ops Center coliaborate dbsefy on and'post.Oct 1 wbidi vvouljil be a nature 

O'utgttwth'of the CMSs5stier ops .A'aloi^e we start how. 


They very eotiiuslastid about this, and said thatit closely mirrored their own tiilhfcing as well they have actiraJfy. 

worked on feqorrmiendatfonsfa’ hoWto proceed wth issuer -OVIS op/tech collaboration,, which the/ll besbriding to 

CWSshgrttv.- 1 ^id that CMS would be reaching out.to.isu^ Al^'as well. They saidlhat gating steited ^tqmcTfpw" 
With op$/rech dtaio^e .woufd. be great, that this collaboration would be a key success fectbr, arid that. we're all on,the 
sameteam; 

They!! report bac^c to their board onthe logo issue - and wiU also let ihe board know about ourdeare to engage in 
ongoing cqllaboratiyeops/tsch, dialogue ahd wodc. They said that their board wbtifd be ^per -supportlye of ehgagfng 
asap in ripser dialogue/coilaboratip.m HopefullyithebpanJ wrfll yndersUnd. what's .ib&c|l to do, with ipgosas-well 
Justins and team said that they would articulate thecontext and explanation, and ^id that they thought the: board 
would understand the need to focus.on missfon -crttical work m thenear-tertn.- 
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From: 

Sent: 

Toe 

Cc 

Subject 


Park, Todd 

Sunday, July 21, 2Dl3 7il0 PM 
'Justine.Hande!mar||||||||[mB 
’mara.baerp||||||||||||P[|^ 'Maril)^.Tavenner| 
Graubaid, Wsan; Paris, Randy 
Re: Thanks and Follow-Up 


[ ■'Aryan, aJChaltd I 


Hi Justine,, it was terrific speaWng with you and team, and am loofwng Mar%n and Aryans on the next steps below 
they have been working on the plan to amp -up technical and operafional coHaboratidn between CMS and issuers, which 
weellagreestrongly wiitbekey to success Ihlhe lead-up to Oct 1 and b^ond.. 

MarHyn/Aiyana, I don't want to be a sdieduEng botdenedc, as time is of the essence, but v/ould be delighted to 
participate in any key planning calls for tbs next phase of work. (Randy/Vivian, cc: d, manage my schedule, and your 
office can reach out to them anytime — and again, pdease don’t letitie be a bottleneck! j 


All the best, and go team go! 
Todd 


From: Ha ndeknan,; Justine f malit 
Sent: Sunday, 3uly21^20i3 11:36 AM 
To; Park, Todd 

Cci Baer, Mara <HHHHiil 
Sobtiect: Thanks and rbllow-Up 


Todd, 


Thanks so much for the call, lartweek. As we shared, logos are a top' priority ftr btir Plans becati^ we knowhow 
important It will be for cor^sumer shopping but we understend the constraints you. are under given ail ^ait has to get 
done before open enrollment. 

As. we ^Isfusserii Plans are working very hard to be ready day 1 biA^at Is only possible If we can be In'., complete synp 
with the federal government which will require an open processofsharing operational timelines an d.detalied 
operatipns/lT plans wite-te® issuer community, We are. m very close contacty^th aH.the CMS staffworking on. 
impl?n}en'tatiQn:and are currently develop ing a detailed listpf what we peed from theagencjes.to.make .sure. weVeall 
prepared* We would like to share that informatlQn'withyouas.weil arid continue a dialogue about'hdw we'work 
together. 

We appreciated hearing about the plans being put togetherquIeWy for regular meetings with Administration and Plan 
technical pecpie to ^sure readines.s for Oct i as well as ttie '’tiger teams'' and operati ws center being 
developed Plans are very eager, to hear more about these efforts so they can shore up the ir operations, Systems and 
staffs to be ready. Perhaps we can schedule a cal! soon to h^r more about these, acthritles and timing for plan 
engagement? 

Thanks so much, 

Justine 


1 


OSTPACA 0007217 




312 


3 


OSTP ACA 0007216 



313 




From; 

Sent 

To: 

Cc; 

Subjecf:. 


Snyder, MicheUe (CMS/OA) <|| 

Saturday, August 24i ^57 PM 

Parlfi Todd; Qiao, Heniy (WS/GIS) 

KefT/JamesT- ^MVO^HPQ); Duterfcridge, Monique (CMS/piS), 
Ackj'itionaf ^rges? - 


\Afe have added some foiks and are.maidng arrangements, to add otiiers as, needed. We need to approach this In a very 
controlled fashion and not ovenwhelm CGi or 0551. On Monday we are waikihg through the assessment as a result of the 
thursday through Sunday reviews 

No further resource action atdiis time 

Thanks . 

Michelle 


Sent from myBladtBeffy^MrdessDcvice 


From; Park, Todd [mallto;! 

Sent; Satorday, AuguS 24, 2013 02:38 PM 
To; Chao, ifenry (04^013);^ Snyd&, Michelle (CM5^QA) 

Cci Kerr^ James T. {CMS/CMHPO)^ Outerbridge, Monique (CMS/OIS) 
Sul^ectr-Additbna! surges? 


Also, hfflchqlfe and Henry - arethereany other resource fied.Hatsqj^ that.you woiddilite .tp make;, 

happ^/ drawing In additional resources from. cohtractorS/^bcsh^'Ktor^ or F^erai employeeidetaiieesfrxim other 
agencies (e.gj. Presidential Innovation Fellow.deveippers whb.coi^d ^ detailed quickly to CMS)?' in the s'plfft'of throwing, 
absol^fiiy ey^ytHng tiie iCS Govemmentcan Into the-fight, please let cf\e teicw If there is any oiheriurge that you'd 
like to fftalce.happen:.~ anting 3t dl that could bs heipfijU firhail or csH me anytime weekShd ajid^enbgs Iriduded,- ’ 

Todd , . ’ . 


From: Pari^; Tddd 

Sent; August. 23,-201 3 03:37 fH. . 

To; Chpo, H^ry (CMS^IS) <|||||||||||||M Vfviaii; Mielke; C^wh M. 

m i^cheite K-Kot, James.t^ (ffe/Oi.Hk))- 

<f|||||||||i|||j|||^^ OuterifrMge/ Monique .fCMS/pIS). 

Sub|ec^ RB Reo'i^'rig abc^inotth R&i Hatt^m:to assMiln ^ Pods tpeisure quality ^d Sb^frj'me^farg^ed 


dates 


Henry, you did a terrific Job on tiie call and conceivihgthis whole Red Hat, surge play. Viva ,1a developer Sutgall ifsound; 
like Red Hatis .really going to bckin and delrverthegpods pieasq keep ma j^sted'regafding the artuai matl^laiitatiQfj: 
of the surge and If i shouitfcal! Red Hatto keep appt^ng pressure.. Alsp, as we all discussed, please, lettne Icnoy/ If t need 
to talk with other folks across government to ex^^alh why tfi^r best Red Hat jdeveldperS are rndvlnglmmediatelv: to. the 
Marketplace project ’© 
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Great job, go team go, and semper fi, 
Todd 


From: Chao,.H®iry (CMS/OB) [i7aifca*| 

Sent F^,Auggst 2^^ 2di3;2:j8 PH 
To: Park,Todd; Graubard, ifelke. Dawn M. . . 

Cc Snyd^, ^Tfchd^{«/dAi Kerr> JarnesT.-(C^«/C^3^j>p);.a Moniq^ (OdS/OIS), 

Subje^ RB Recmlb'rg a top nctscft Red Hat team to in t^ 1 e Pods to ^sure quality and abttity to targeted: 

date 


yiip 


Hairy Chao 

Deputy 00 a Deputy Dfrector,. 

Office of . Information Services 
^inters for Medicare &MedicaldSErvfces 



From: Park, Todd fmafeo:] 

Serrt: Friday, Auguk 23, 2013 2:37 PM 
To: CJsao, Henry (CHSyOIS); Graubard, VMan; Mfe^ Dawm M 

Ca Snyder, %r,3arT>ssX (a'W3^riPQ)i0utertridgfi, Monique (CMS/OIS) 

^bjecb |fe. Recjuitijig a top fic^ Red Hat team to assist In Vie Pods to ensure, qudhy and abHity to meet taigeted. 
date 


OK, terrifie* Will they have thesHdes? And wiHyooleadth&toltthroughofthesiid^? 


From: Cfad, Henry (pCjfOIS) [maffloj 
Senls.Biday-i;^gbk.23,-2013'2:36 PW 
tos P^ .to^;-'§raubSrel, Vivian; Dawn M. 

Cc'Sriyd^, Mf^fe-fCMS/OA); ftef;;. James (CMS/OWPO); Qufe^^ 

Subg^ FWf RequWfig a top nctdl Red Hat team ^' assist m tfie P^s to ensure tjdaBty aria a&lfty to riieAtargetBd 
dates' ■.,•••., ,■ . 

Importance: High 


This is what we will, use for discussion points.; Red Hat execs, are avaHableat Spm. ^ QSSj and CGi; wHj both be on the, pall 
along with me; 


Appoint Is coming in a few rnrn. 


Henry Chao 

teputy.OQS, Deputy Da-ector, 

Office of IhfonnatiDn Services 
Ggnterstor.Medicare. & Medkatd Services 


From; i^dton KlmfrYiailfc^ 

Sent Friday, Augu^ 23, 2013 2;21 PM 

To: Oso, Heniy (CMS/OIS); ^arma, ’Hernart (03 Feder^; CampbeB, Chei^ (CGIT^Q-al)^ Martih, Ridi (CGI F ed^O; 
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f>lanan^)edn. Lakshmi (CGI Feda^O 

Cq OutErbridge, Ntonique CCMS/pIS); Oh, Marie U. (CMS^OI^ 

Subject: Re: RKruiting a top nofch Red Hat team to as^ m the Pods to ensure quality and ability to meet targeted 
dates 


Karlton Em 

Sr, Vice President of Ingram Ddivery 
KMSO'HtflaPatuxra^^afkwayTSuite'ilGD^Columbia MD 21344- 
I mobile I 


FrcHTi; Karifon 

Date: Friday, A ugust 23, 20H 

To: 

"CampbelfjCb^ (CG XPe^^);:< 

* ’{abhmi.manambedu 

Cg Monique <Merbrit%|<||||||||[||||||||||||||[|||||^|||||^||||||[^'^ii^ 

Sublet: Re: Recruiting a top nofch Red, Hat team to assist in the Pods to ensure quality and ability-to meet targeted 
dates 

This is where I’m going with it. Haveiit’ received the KedHat eirecs yet. 



K^Iton Em 

Sr.Viee I^esidehtof ProgramDelrvery' 

104S0 latiiB.Patn3:eD.t Parkway, Suite IIQQ, Coltirabia hiD 21044 
OSice H[||^mi|||H 1 mdiile F 



CampbelVCheryf. lOGI ' 


From: <CHao>f *■ henjv.chac| 

D^ei.Friday, Au gost 23, P M 

Federal)'^ ^ch.iy!attln,< 

^iakshm{.nnanainbedu| 

Cc ue Outerbridge lliiluli | 

Subjie^s RF: Recruiting a toA’hptch Red Hat 'team to assfefiri the 'Pods to ensure quality and ability to meat targeted 
dates 

Is it soup yet? 


Hervfy.Chag. 

Deputy, ao & Deputy Direetpo 
Of^DfinfoonattonServices- 
CCTters.for Medicare & Medicaid Services 


From: Kiarlton Kim fmalfe 

Sent: Friday, August 23, 2013 1:06 PM 
To: Chao, Henry (GMS/OIS); Sharfna^ Heraant (CGI Federal)* Campbell, Cheryl (C© federal);. Martih, Rich (CGI federal); 
Manambedu,l-ak^mi(CGI,federai) \ - 

Ce Oirterbridge, Monique (CMS/OE); Oh, Mark U. (CMS/OIS) 
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Re: Recruiting a top notch Red Hat team to in the Pods to ^sure quality and abiilty to meet targeted 

dates 

ImportHnce;: High 

OK, 


Kar ltpn Kim 

Sr, Vice President of Program Delivery 

10480 liittiePatiasMit . Parkwa y, Suite 1100 ^ Cp l iimhiq MD 21044 
OfBce IHHIiH { mobile I 


K- "Campbell, CheryJ (CGI 


From; <Chao>, " heniv.cliaoj 

Date: Friday, 

To: Karlton lOmj^lllllllllll^^ 

Federal)”; <j||||||||^^ Martin < 

"{akshmtma'riarhB^dij 

Cc: Monique Oaterbn'dge'^^^^^|||||||||||||||||^ 

Sut^ect; RE: Recnirting etppjhdfthi l^dHatteam to 'assist fn the Pods to ensure, ^allty and ability to meet targeted 
dates 

Karjton, 

Please take what Hemant has put together as 3 sir^e set of sidiis and delmeate between what skills are needed by each 
side and put that in an agenda/taiking points for todd and 1 the cali at 3prn, Need the names of the Red hat execs, too 


Henry Chao 

Deputy ao & Deputy Director, 

Officeof Information Ser^ces 
Cehters forMedfoere & Medicaid Services 


From: foriton Wm rmanto:| 

Senti'FHd^, Augiist^^ 201^12:53 PM ................ 

Tb: aiarma;Hemant-(CSr:ft«^® Ch'^; Henry (CMS/QI^; Chmpbeit <03 Nf^'n, Rfch (03 F^eraOj 

Manambedu> Lalshmi (CGrFederal) 

Cc QuiSibricfoe/, Mpnlque. (04^1$)'; Oh, Mark U- (CMS/OIS) 

Subject:. Ra: .Recrtjltlng a £op.nofch;Red Hat team.to as^ in the Pods to ensure quality and abilrtyto meet targeted 
Yes, I wlliiaA'e the dial in, and I tsiU add anything additaqnal we may have to your list 


Karltoh Kim 

Sr. Vice President of Prograrn. Delivery 

lOiSQ. Iitfle Pahilgot Parkwa y».Suite-llOOj Co lumbia MD 21044 
Offlcd IBHUHHIi^l [. moi:dTe 

From; <$harma>*HemantSharma<| 

D^e: Friday,. Au gust 2q3.| 12147 1^. 

To: Karit:ohgmj^M^Mjij|^> hehry;chgo| 

Federal)" Ricf 



►, ’Campbell, Cheryl (GGi 
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"iakshmlrnansmbedul 

Cc: Monique 

Subject; RE: Recruiting a lop nqfidT.RedH^ team tp assist the Pods. to ensure quall^and abfity tqrneet taj^ed 
dates ■'■'■ 

HHenry, 

Here is what wa can use help wilji frcsTi Red Hat 


_ X . Jave En&ipjise (JEQ ar^terts/d_ev^<>pars {4i:«ouQ:es)_»_^ej®ectay2n fi&r these resources to. bg part of a 


SWAT team to, help w/Gk 

An^ysIs/ldenUflcation, debugging, and resdufion of issues related to FFM appiicatibn design. - one 
recent example is session managenent that M.ark WWteImn RedHat Is helping with.. 
b. Since these are JEEarrhltects/devdopers they Will also help with devel opment actSyities wiltilrittie 
various teams. Resources that have e?^erience with user in teriece development espedaily 
Javascnpl^actoonevyouklbeve/vhe^M fbr examj^efssourcfislikeTrevdrQumnfromRedHat. 

2. JBoss SOA-P PerfomianceTunit^ (2 resourc the e^ecfatlOT is that diesa' reso urces will help with the 
identificadon and r^udon of issues related to JBoss SOA-P performance and scaiabilitv. . : 

3. Boss Operatrons (1 resource) the e>cp6ctatIon Isthatthls resource will help with operations- and 
administretton related activities of the JBossmidiSevrare infrastructure- such as ^ell scnpting to auromata 
administration/morutDfing tasks and es^erfenc e vsth JBoss Operations Network, One exanipfe resource from 
RedHatlnthfscategcsVlsOvfdluFecidorcyv. - 


Kariton, not sure ifyou are looidog for similar resources, but am pjessing.diere wSibesomeoveriap, Let me knowlf you 
would like to talk rd^tlme: Afed^s^frslfteyouhav^heWdH at contact Identified and I don't heed fo get a different 


IharikSi 

.Hemani 




Hemertgh arga | Vfce.Pre^'if, 03 . RsJeral |.12®1 far Lafes Grds, \% 22033 { 

IIIIIIIIIIP www.c^. 

CONFfD^TlAUTY-NpTICE: PropnetaryfConfidenfe! Information belor^lng to CGI Groupjnc. and ilsf affiliates may he 
contolhed h-thlsm.BSsage. Ifypu^e not.a recipfentfedtaated ortotend'ed to message (orraspon^le tordeiiyety of 
Ms message to such person), or think fqr any reason this message.may hays been adcfeessed you to error, you 

may not use or copy or d^ryer-tois nissssge to anyone else. In such case, you should deshoylft% message, and ars 
asked to notify the senderby r^Iy.einaiL 


.Prona: Iferiton Kkn rmaife?|| 

fhday, Au^ 23, 2013:11:25 AM' 

Tp! chap. Hairy {CMs:piS);.ftitipf)pll, fflayl (Cd Federal); Hatfin, Rich (GGI federal); sllatina, Hanant (OSl fedfiral); 
Wanamtedu, takitoi! {GGI f^erd) 

Cc Outerfaridge, Monique <CMS/OiS)j Oh, Mark U. (CH5/OIS) 

Si^e^ Re: ReaUiSng a top nptch Red Hat tg assst In the Pods to ensure duality and abiiity to me^ targ^d 
[fetes 

Ini|tortanqe: High 

Yes. ' We yriH give you sHll set V expertise. 


KarlfcpnKiia 

Sr, Vice Pr^ident.crf Program DeKvery 

10480 litde Pi^toxea't Parkway. Suite 1100, Columbia MD 21044 


Office! 


i mobile I 
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From:<Chao>,” heil{v.chad 

Date: Friday* 

TcK^Karlton |q^^|||||||||||||^^ Cheryj (CO Federa !}\‘<|^^BBBBBBBMBBK Martin 

K^afitShajrm3< 

fskshmlmansmfc^d 

Cc: Monique Outer&ri^e^^||||||||^^ Made < 

Subject: Recruiting a top nottii Red Hat teaintpassistfr* tfie Pods to ensure quality and ability fo meet targeted dates 


Todd Park request that we provide him the right poniact at Ited H?!t so he can requ ^ Red Hat to provide their top 
haridS'On expette (Developers*. EngineersjTesters, Performancfii Architects, troubleshooters, etc.) to our CGI and QSSf 
vehicles. We already have a few really god people and we can benefit from this offer to round u p more of the best to 
work with, us. 


Here's what 1 need: 

Hemantand Kariton please list the skiilsetsyoi befievewehavea gap iri orneeiimpreqffor Red Hat atthe level of 
expertise greater than what we currently have acress tot Also talk to your Red Hat Contacts to get the right executive 
listed on the.follo wing page forTodd to call (and ask your Red Hat contact for the information fqrTodd. 

httP://www.redh3t.f::bm/about/companv/manaeenr>ent/ 

Please getlhatbackto me before 3pm- Ooesthatwork? 


HenryChao • 

Deputy QQ & Deputy Dn-ector, 

Office of InforrTBtion Services 
Centers for Medicare & Medicaid Services 



6 
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From: 

SeiTl: 

Tot 

Subje^ 


Fasching, Laura <| 

Sunday; Septert^er 29, 2fil3 153 AM 
Park; TocJd; •heniy.chao^^^^^g 
RE; H(^v serious are ywi abrxit usmgHomesteadAFBfo get ^eeqinpntent to 
Culpeper? 


Understood and I Vr'iii cat! you if we bit a snag . 
Thanks 


— Original Message— ~ 

Jtcsnj Park, Todd f{ 

Sent: Sunday, September 1% 2013 01:47 AM Eastern Standsnd Ttme 
To: Fascfcingi Laura; ‘heniy.chaoj ' T - 

Subject: Re: Ho%y sea-lous are you about using.Horaestead APB to get the equipment to Culpeper? 


iaura,ternf!c,thanksflFYaurunmtplaues,nomatterwtratbcK:ritis,pfeaseca,llfni -il -myphonewii! 

be on arKf next to my ear ati night: please don't he^te to at any hour. And we can tr^er bac^p option at 

literally any hour of tl^eni^t if need faa. 


Thanks 1 
Todd 


From: J^schir^, Laura [maiito: i 
.Sent: Su.hi^, SspEemfef 29, 201301:25 AM 
To: Parici'Tladd; .'henri« 

Cc; feching, Lauia.< 

SuHect: .R£: HOiwaa-iouis are vou aBout usingHomestead AFB'fi) get tha aquipnant to Culpepefi 



Oft thanits Tcid, we era good for now (lie sfilRiere are at the (iato center gettitig ready to pick up. the gaarnoWi We will' 
let ^.tlknokfif we ftin fnto.anvf issues and need theback up qpUqns. 

Thanks 

Laura 


Laura Fasbhteg 

Oire ctproCpiibiic Secto r StfateoicAccoobts' |ye>'irc!nT&rreinark 
tZ2V'i Lgs Coiinas Bfvd. Irvtr^, Te'>as, 75039 


Paik^Ti^d ^majfto;| 

Sent:. -S^tembdr' 

To; F^bingf lauraj ’ 

Sobj^fe fte: How serious are you al 



ng Homestead AFB to get^e^^.entto Cuipep^f 


laura, ran you let us fenow wdien the shippers do ind^ pick up the equipment from Miami and that the private cargo 
transport play is officially In motion and good to go? 


We in ftct have ascertamed that military transport f$ svsfiaWe as a backup option in case the commercial option falls 
through at the last second but the commerciaf Option Is more cost-effective. However, if the cgmnterdst shippers 
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flake out, we can actuate the military option - fbiksara standing by. 


From: Fasdiing, laura [ 

Saturday, S^tsmber 2013 10:^ 6 PM 
To: Park, Todd; Ghao, He 


Cc: Fasching, Laur^ *; 
SuE^^: RE: How s 


dng Homestead AFB to g^ tffS equipment to Cufpepa? 


Gladtohelp^ let me know jfyou need anything else gentlemen ^ 
Laura 


Laura Faschlog 

Dire ctor of PubiiG $.ectc? f Strsysgic Acrotaits { K/emanTerc&ns/fk 
22a W Las Cofin^ Blvd^ Irving. Texas. 75033 ' 


Frcwn: Pari^ Todd ffreiitoj 

Sent: Saturday, Septemba' 28, 2013 10:38 PM 
To: Fasching, L^ura; Chao, Lfenry (CMS/OIS) 

Subject: RE: How sorraui? are you about using Hpme^ead AFB to get the equipmerjt to Culpa per? 


That is super-awesome Laura, thanks so very, very, very muchUH 


From: Fasdiing, laura 

Sent Sateisy, Septembgr 2S, 2013 10:36 PM 
To: Chao, Herry fCMS/OK); Park, Tosid 
Ok Fasdiing, Laura 

Sul^^di RE: Howseripusare you about using Homestead AFBtplgetiheeqLafTOffitto.Culpeper? 

Totfd StHenry, 

Ihe shipper ispicJdng up the equipment in the next 30 minutes frorh the Miarnl.data centerand'w^. expect the sh^mept 
to arrive between '9'.3Q AM to 10:00 AM. © 

So Monday COB Is looking gpod as. long as we keep the Shippeis on schedule, as the build teaiTis Wl Jl be working fit 6 am 
with the equipment that was brought in today. 

laura 


Fsschitig 

Dirs ctor of PubHc Secfe r.Slfateg?c Acoounis | Vorizon Terreinadc 
'222W Las Coimas B!vd. l.rang, Texas, 75033 


Frtsn; (CMS/OIS) f maiifa 

Ssnfe.:&tuf^fey,-^ffember 28, 20 13.3:03 PM 

To: Ffediina I^Um; Todd Y . 

Subjocte Re: How pilous are ydu about usifig Homestead AFB to geiUie equk>ment;.to.Cu(p3 per? 


J got the appraysi from .our COO and head qf Contrecbto go vwdi the 40k option. 



Contracts said we will have to Vsfork out hew this can be a tins you can-blH In the contract but n o problem ^guring that 
out later. 
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Henry. Diao 

Deputy Chief Inf^matfon Officer and Depuly Direct ur 
Office of l^dfmation Services 
CfentarafQrMecficai‘6& MedfcsId'Services 
7S00.Seci«ity Bhf’d. 



Ffom: Fasdilngrri^ura [ 

SetuncJay, 5 
To: Park,. Todd ■« [ 

Cc: F^:Wng, Lc^'ra < 

Suigescfc: RE: Hov^ serious are you about using Homestead AFB to get toe equipment to Culpeper? 



; Chao, Henry (CM^IS) 


Ok great Henry can t get confirmatibn that the Go^rnment will Pay for the plans?' We have to get LWfd Smalls 
Appr o'^ral so vue will need to tall as soon as possible. 


Tlianks and sorry to rush you all. 
Laura 


l;^ra Fa^s^fiig 

Pire dornC.P^IiG Seofey Stral^to Atjccunte { Ve/ttooTsrreinark. 
Irviriig, Tssas,- 7K)39 


Fram; Pari^ Todd Tmailtc 

S^nfc.Saiiirclay/Ser^b^ 28/ 2013 Si50 PM. 

Tq's F^echlhg^ lauraj Chao,. Henry (CMS/ors) 

SiHjlQctl: RE: Hgw serious are you ^ut using Homestead AFBto gd - 


FYk the pilvste plaine option { aitt pursuing tvoyid likeV.cost aliout the same as. the f ed^ expedite dsfgq pfgneiQptfoni. 
below. 


HfeniY^ LtfHhk that delivery, to the data center mid -dav Sunday so^ steajiy* 


Faschinq. laura ' -- - 

Ssnti 5 atunlay,$eptptibs’ 28 , 20135 :' 46 PM ‘ 

Toipa.d^Trxid;'Cfe, Henry (CMS/dlS) * ' ' ' -.T'.:"': '•- 

CcF^ching, Laura 

REi. Hew serious are you about using Homestead ^B'to get frie equipment to Culpeper?' 

Imporfcartite; H^h 

Ok here is what I ivas able to do 

) was able to gv^t to FedEx .custom Oddcal they can drive it to us via struck with pick up tonlghf ^ liiOp PM (E^} and 
delivery around 9 PM on ^ndsy mght for$370D.OO 
Or . 

They have an expedite cargo. plane.ciptfon which would get alt 6 pallets on. the plana (Insured/ bondedyand get .the 
deliwry to the data center by mid-day Sunday wtuchsriJI ^vas us a good ainbiint of lime to work on the tenfiguratiOns. 
Ths cost however is $40,000.00. 
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if yoy wcKjid v/ant to move on either of these t^tions tetinefaiow as we need Henr/^ to approve tiie costs. 

Thanks . " . 

Laura 


Laura FssehiRg 

Ote otor-of gH^ife Sireiogic Accounts | Verizon Terfsjnsik 
222 W Lss Goifnas Blvd. Texas, 7^39 


ft-omj Parf^ Todd rtrajfto: 

Sent; S3&ifrfay^Sepfemfeier-28^'2013 8:37 PM 
To: Fasching, Lauraj. Chao> Henry (O^S/OIS) 

&if33ec±: How senous are you about using rtomestead B ta.Q^ 5he equi{Mnent to Cufpeper? 

OK"^ have reached a private piane broker. They are investigating ASAP. I told them Miami to Dulles was the desired fliglit 
path is that KTrect? 


Rxsm: Fasching/ Laura f malltoj 

S«ife Saturday^ September 28, 2013 8:10 PM 
To: PaiiGTodd; Oiao, Henry (CMS/OIS) 
ail^e^ RE: Hcjw serious are you about using Homestead AFB to get the equipment to Cuip^sr? 

QuEntity 6 2DQ,00 lb pallets Oiitensions. 39x25x33 


Laura PssEd^lpg 

GlciSctOfoCPt^fic Sec^gfaa^jcApeacunSl Vetizon Terramart: 


222 


!. JwinQ, Texas, 75(139 


Parfi Todd f^ilt 

S9nte ^tytxfeyi SeRteitif}^ 28,. 20:13 7:® F 
tot ^ 0 , Fteriy (CMS/OiS);,Fi^Tir|, Uura 
.^Sffecfc RE: How s^kjiis are you about using Homest^.AFBlo getihe equipment to Cutpeper.? 

OK lOU can caii me at | 


FtomiChao, H«ry,CC«S/OIS) [maltol 

Sent; ^sirflay, S epiente 28, 2 013 7:57 PM 
To: lauiS.fasdiifl^^^^^P; Parlg Todd 
SBbjecte Re; How^rloue ure you about using Homestead AFB to get the equipment to Culpeper ?. 

i'll call and patch you botti in ' 


Henry Chao 

Deputy ditef lflfbnrration.OfHeerand Deputy Director 

Officecif Information Services 

Centers for IViadicare 8t Msdicald Services 

7500 Security Bli/d 

B 3 ttimora,li,'!D 2 i 244 
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Toi Fasdilng, Laura; Chao, Henry (CMS/(SS) 

Su&j£St: RE: How serfous are you about using Homestead T'FB to get the equipmait to Cuipqjet? 

Hi Laiffa, canyon get on the phonefor a moment to discuss? WhaEs the best number' st which to readi 


From; Fsahino. Laiga 

Seat: S^rday; September 2S, 2013 7:53 PM 

To: ParJg Todd; Chao, Henry (CMS/OIS) 

Cfc: Fasdiing, Laura 

aibjecfc REi How ^rfous are you about using Horpe^^ OT to get die equipment to Ojip^?. ., 

Ok 1 havecoftfirmed our Air -torce optlGn is a go and is the best option as we wiil have the build resources avaltabtefor 
the full boOd and be afais to deiivcir that on Mo nday 

We are worJ3ng witbtruckrr^ comparties.rKav to get a truck to pick up sometime tomorrow and direct sh.ipjttp us 
agaih the equipment would hot get h ere UntH Monday morning at the earliest and then youVe looking at 
Wednes£iay/Tfiur^av.deUvafvand atthatpointweshouJdeo.whJioiM'ortginal shipping plam' 

And lastly we afe having a-chalienge on getting the iegisdes aSgned for a chart^ed cd?^0"plane, it lopks like we fffay not 
be able togetthatairangediimii.Mbnd^ morning and woukJiwtkpcwp nttLthen.when ^y cCHild picka deliver 
ecpipment -sotMsoptkmwoufdnaedtobeexpbfedindeptfionMoridayr. , 

This is what wehave atthls point 
Laura 

Leu'ra F^chln^ 

I Verfecn TsTremark 

222 W Las CQERSs:81vd, Irving, Texas, 75039 


Sent; Saturday^ September 28, 2813 7:34 PM 

To: Chaa, Heray (GMS/OIS); Faschii^, Laura , ^ - 

Sublet:- R£i How serfous are you about using Homest^ PFB to ^Ihe equipmentto Culpeper? 
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tau/a, by when do you need tomake 3ded5fen3boutvs^etherto5end via private gfourd, priv^ate cargo plane, dr Air 
Force {If Air Fores Is indeed an option?) 


And to confirm private ground would derrverthehsrdwsreoft.TtjsSday^tQbe installed Wednesday?), priyaU^ cargo 
plane would detiver the hardware on Monday {to be Instalfed Tuesday?). With m pbssIbJIftY of acceleration of those 
timetables? 


From; Henry COM^OIS) 

^lit; ^turday, S epfemh^ 2%. 2 1)13 7:29 PM 
To; ’laura.fes<hlnc^^^^^^^ Park, Todd 
Subject; Re: How serious are you about using Home^ad AFB to get the eq uipmant to Culp^er? 


} odd”Jt’s in your hands now to make a guide dedsFdn. 


Henry Chao 

Deputy Chief Information Officer and Deputy EHrector 
Office of Information Services 
Centers for Medicare & Medicaid Seivirss 
75CXI Security BKd 



From: Fasditr^, Laura [ 
SettiSatorday^ September 28,. 3 
To: Park, todd ^ 


>; Cfeo, Henry (O1S/0IS) 


Sulsloct-: RE; Hovy serious are you about using Hortestsad AFB' to get: the equipment to Culpeper? 


We have heen exploring that option top but no luck so far 


LauraFasu^&tS . . 

Dke ctor-^fFijfalfeC-gcto rSh'ategis Aocoa^ls I Verizoo Terretnafk 
m W Las'GoiHas Blvd. Irving, Tsxss. 75039 


^nfc Saturi^yr Sefjteniber 28, 2Qi3 7:25 PM 
To; Chao, Her^ (aiS/0l5};f3schir^, Laura 

Subjeefe RE: How serious am you about using Home^ead Aratogetthe equipment .to Culpeper? 


Also: as another option to expibreiln the intercut of etploring dl .options sinml taneously, 1$, it possibia to arrai'5ge for 
heroic diartered private sector ground transportation that could get gdng super -early tomorrow rrrarningand gstto 
Cylpeper by Sunday evening? 


Fro.m; Parlg Todd 
^nt^SsSurday, Sppfember 28, 2013. 7"03 PM 
To; 'diao, Henry CCM^OlS)'; ’iauraj^schingf" 


^uboect: RE; How serious am you alraut usihg Homestead AFB t».get the sjulpinent to Culpeper? 
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WH team msponded Irtstantly^ Is Vfdrtann on it as sps^ and vrfffget back to us ASAP. But they unforturia tefy srd not. 

optimistic, so we should ej^ore other dp^ons In paj^Set 

!s there any possMity of afranging for pnVate/ojmiTiercs^ cargo jferre h^nsport? Chartered, even? 


Fi^m: 0\3Qf Henry (OlS/OXS) f fnE . ■ ,’3 ,, .• ^ 

Sant: Satxirday^ S epferrte ?8,.2 0l3 6:35 PM. 

aib^ect: Re: How ^nous are \x>\i about using Homestead AFB'to get the equipment to Qjip^jsr? 


J5i5t talked to Todd and hs Is going to talk to;die re^of V^H tiicit can make this happen so just repiy with the cpnfimxED- 
service to Homcstead. 

Todd-^fet us know ASAP so teura will send via ground if you can't arrange for transport to someplace dte Air Force can 
(and near CujpeperVA. 


Henry Chso 

Deputy* Chief Infoimatiari Officer and Deputy Director 
Office of information Services 


Centers for Medicare St, Metfica.id Services 
7500 Security BJvd 

5 -r “44 



firom: Laura fmalfe 

Sept- Saturday, S^tepte28,.2Q130Q;09.>M~' 

To: Cha0> Henry {<>?S^ 

€te f^echipgr liura ^ 

S!4:d^-' RE: ,Hbw .serious areyou abCRJt using Homestead AFB to get the equfom^t to Culpeper? 


Henry,. 


We are woridng on firrnJ^.up the white glova shippers but diicc that Is donavvewould bagoodtb go. 

(f we get the shippers srfieduied and.li.ve equipment gets here tomorrow my engineers said they have theresources to 
build it out and just like we. said before up by cob Monday. 

l will let you know about ttie.shipper&withJh an hour. 


La.ura 


Laura Kasrjhfng 

Dire ^r of PiAlie .Serio r .Strategic Acoounls I Verizon Terrsmark 
IrangiToeEi, 75039 


^om: Faschlng, Laura 

Ssnto^SaturdaY/ September 28, 2013 5:27 PM 
To: Chao, Henry (CMS/OIS^ 

7 . 
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Cc: Feschff^, Laura 

Sut^ect: R£: Hew serfous are you abcHJt using Hom^tead AFBtoget ihe equipment to Culp^jer? 

HmTVj 

Ifyoucan makeithappen.^. wcw 
T?is equipment would-be 

Below is the possbfe weight, quantity,, and size of thepenieSng^ipment 
Quantity 6 2C0.{X> lb pallets 0 tensions 39x25x3.3 

On outside we have to get the equipment from thedata.ctenter to hfcimestead AFS so I have. the team {ooking3tv.^lte 
glove courier sendees now. We would use the same kfeid of seivice tc pick up the gear at Andrews Air Force base and 
have them transport it to Culpepper. 

While they lockfor die white glove courier, { wifl make sore engineering will be able to add this space to dieir work bad 
to have It over to you on Monday with the rest ofthe compute, 

I am OP. caiis with folks now to firm up our abiilty to pull off the logistics on our side, 1 v/llf update you shortly. 

Laura 


Lsura^ Fasc^ing 

Olrs clo? of Public SeiXp r Strategic Accourits ) Verticjn Tefremaiii 
Irving, Tewjs^ 75039 


i^ntt Cbao,H^ry (CMS/OIS) 

Sent Saturday,^ptember-28, 2013 4:56 PM 
Tot F^schfng, Laura, 

Safjifect: RE: Bcfw serious are you about using Homestead AfB to get the equipment to Culpeper? . ' 

iroi)prtance: High 

ToddPark isWIlilng to ask if we can define' the needsothatmeanstomelf-tt® cangetthe.AF involved we wdqldtefgst 
tompiTOW mpmingto get the equipment installed at Culpeper befo re 10/1. 

let me know 


Henry Gfrao 

Deputy CiO.S O^uty Director, 

Office ijf Information Service 
Centers fpr-Medteare & Medicaid Services 



Fromt Chap* Henry (CMS/OIS) 

Seat; ^^rdeyr$ep ^g^-24 ^013 PM 

How serious are you aboi^ using Homeste^ At^ to get the equipment to Culpeper? 
Sfipgrtariisss: High 
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; |j ('f' 1 


From; 

Trenide, tonv 

Sent - 

Ftddpy, August M13 ^35 PM 

To: 

Pari^ Todd; Snyijer, Midie^le-tCMS/OA) 

Subject; 

RE itesfcose to Todd's'Cl^)^eainty bidletreq^^ 

Michelle beat rne to ft. 



Sent: Friday MiguS 23, 2013 SSil PM 
To: Siiydai MttefegKS/OA) . 

Cc Tifflkte, Tony (CMS/OIS) 

SiibJescft REt Response In Todd's Tytersecurity bullet requests: , 

Tthfnk^es& aregreat tbanJtyoii. WiH sendto Marilyn/Jeafine, and cc: the two of you -i- Frank Saitman, asTony 
suggests.'-'HianksagaJnl - 


tfbfrt-.Snntfer: Mfchelle (OAS/OA) F n.,... 

Sen£T%fsy,* August 23, 2613-6121 PM 
To:PKlc,Xoi3d ' ' ' 

FW3 Response toTodd's Gyb&secufity bullet requests. - 
Inipoitanoe: Kigh 

• . -*,4 ■ > 

■riaie&eyareav '.-- ■ 

. Wc-7-:.yvr • -■ • 


.$ept from my SlackSerrY Wireless Device 


FromrTienIde, Tony (CMS/OIS) 

SentcfTiday, August 23, 2013, (1452 PM, 
fm^ydeH, MSfreBs iQASJOA) 

i&igeA Hwty {CMS/(3B)r Jang, .Terris. :(C24^0C); Trenkte, Tony (CMS/OlS) 
Suf^^: Response &>. Todd's, C^rsecurfty. bullet .r^ue^. 


Michelle, 


BetoW 3 retfie.bulIefs.tii.et,J suggest that we send to Todd. We kept them fbcused.on CMS andfeiriy generlo. I 
caii forward them to Todd or you can. We can also add io IHem if you want any statistics ete. Atso, WaShould 
probably copy FhanK on lfte response in case ,ba wants to add anyifiing fromthe.HHS perspecflve; ■ •' r • ■ 

• The CeqtetS for Medicare and, . Medfcaid S.eivices ((3M5) has maintained a strong histoiy oTprevefi8ng 
ma|pr breaches Invotvirig tha toss of personally .Wentffiabfe information from cyber.4attaoks; (3MS has In 
place established risk ibanagemertt.securi^ conftob.assessjTieht, and seountyauthonzafion 
processes foTali (;ms systems. These controls foeet or exceed existing Federal standards 

• GMS has been an: innovator. leader in (he.fofoirnation'securtly community ihronghthe userof -. state'of: 
the art continuous, rtiontoring tools thaf remciely scan the IT assets of CMS systems to ensure basetne 
configufaflphs afe up to:daIe.and cornglianf and thatdeviaHons are quickly identified and 

mitigated. Addtenailythese.technorogies lsive fhe capability to. delect unkno'wn.or rogue hosts which 
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From: , 
Sent. - 
To; 

Cc: 

Subjects 


Hi Jeanne and Marif/^ ber$ are buHet po.ihts.fr^ Team ^iit how ifi e, Marketplace wlilbe prpterted from cyber - 

attads; FolkscanacfcfstalJrtrcsandotheradditionairhfoifdfi^d. j^oJbopingFrankEaitrrianffom HHS.- 

• TheCenters for Medicare andMed}raTd5ervjces(CM5).hasm^ntained a strong history of pre^i^entihg major 

breaches InyoMng, the loss of perscffially identifiable information from cyber -attacks. CMS has in piaps; 
establishedrisSrmanagement^security'ccmtrolsassessrnen^ahdsecuri^authoriiatio.nprocesseSfbratlCMS 

; systems* Theseco^t^o^s^^eetore)i£eed^j^ing,Fecfe^alst'anda^dsi 

• CMS ha.sbeen an Innovator leader in the infbitnatioh se^inty.conimunitY through the use of state of.the. art 
amtinuDiismonitQnngtoplsthatremoteiyscanthelTassetsofCMSsystemstoensurebaselmeconfiguratfons 
are up to date and compifanf and that dewatfons arg quidcfy j^trfied-ahd mitigated. : Additiorialiy these 
tech'i^i^es have the capabai^ to deM:n^?dwh‘pfrogue hosfe wfe ard quickly identified and 
yocted* Penetration teefting is also performed on aJi t^S systems to identiiV vulnerabilities and reduce or 
eliminate potential risks From external threats. 

• The IT systems fhatare being created forthe .Maiketpla ce wy! meet or exceed odrtmg FederaJ seca^rity 
stmda.rdsarid w'H utiilze state ofthe art monitoring and surveiJiance tools. CMSisatso woridngdbseiiy wirfi 
,HH$:affd other public and prhrate sector security experts ip get addirional fedmlM support f ortoe Mark^place 
prc^am. 


Parte tpdd. . . .. • 

Friday, 

mari^n.ta^nner|i^H|HHilaLmbrevv,J^nne . 
michelieshydeiflllillHl^^ Tony CC.MS/QIS); frank-baitman | 

Cybe 156011 %, Ewlfet poffits 


t 
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are qufcWy identified and blocked. Pen^rafibn.testaig b also perfbrm.ed on all CM$ systems to ident^ 
VulneratMies and reduce or eliminate potenfial external threatev- 

The IT s^^fems that are being created for the Marite^iabe Will nieef orexceed easting Federal security 
standards and wil! utiDze slate of ifte art hionfti^g antf'suiyeaiance tools. C^S is also wori^ing dosely 
with HHS and other public and private se<^r security experts to get addi fional tedinlcal. suppcsl for the 
Marketplace program. 


R-om: PK'k, Todd 

Sent Friday, ^gust 23; 201^11:14 AM 
Toj Snyder, Mlcheite (CHS/m); Tren^ Tony (CM^OIS) 
Cc Tavemer^Maiilyn (Cf^OA) 

Sufaiert: Cybersecurffy. bullet poi^^ 

Important®: High 


Hi Michelle and Tonyi Marilyn/WH folks would love to get three basic bullet ^Ints describing how we will protect the 
Marketplace from cyfaerattack. M.anYapoiogles,butlfwecouldgrflhesebyCOBtoday,th3twouidbe'ftntastic is rtiat 
possible? 

Below are three strawcase bullet pomts folks have drafted feel free to edit/ change in any way you see fit. See notes 
following each, buliet as well. 

Center fbr Medlcareand Medicaid Services (CMS) and the Intemal Revenue Sendee fIRS) have been 
relentlessly attacked, ^en the amount of funding that they manage, yetthere has n wer been amajor breach 
andloss of persohaiVidentifiable information or loss, of tax^yer dollars. 


use of electronic^applicafibnsdbes not nec^saHly: make infesTnatJon fess secure-. For erample, in 2012, 119 
million taitpayers fifeK etoronic8lly ,.witfi lessti iaft Balf a. milfton fraclibo B.dng^ected fay identify. theft since 
2008. S q I K/yo».r cy wanpo rjgJce tics ffilleftmirel^ wiih'SjjthcV 6.,^ 

'V V .'f V™ v,lnt to add 


^^the Information terfinology systems that are being created fbrthe Marketplace meet Q.f exce^d'existing' 
government standards, Ifi addition HHS is working with States, IRS, Dpi and the FTC bn a cornprehenslve^an 
to Identify, prevent, detect, and pros.ecuteidentiiy theft andfragd, 

Thapksso ye.ry, very much foryour help. 


Todd 


; 2 - 
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From: 

Sent 

To: 

Cc; 

Subject 

Hi Tony, just spoke with Michelle, and she thinks our game plan makes sens^ with additions* 

1 . We should convene a worksesslon in the next week whh you, Teresa, Frank Saitmani his ClSO,,and probably a 
DHS person and DOJ persorr (she was thinking someone who has experiehce going, after cyberattackers), plus : 
any oth^ folks you want to have there to dlscusshowtoprotecttheWarketpiace from cyberattack. This 
would Include a, discussibh of our defenses, the threats, and ourrespor^s to thethreats. I would absolutely 
love to be part of as much of this meeting as I can, but also don't want ^ be a scheduling bottleneck; and it 
should j-eaiiy happen sooner ratherthan later looping C^wn andVivtO Help with myschedule; You ^ould go. 
ahead and sdiedule the meeting, and 1 will tiy to be there for as much of it as ! possibly can! 

2. You/Feresacan then prepare a memo (could be for Michdle, forMarilyni for ^hers we'ii figure that out) that 
basicallyoutiinestiie protection stfategy,mdudihg^feat assessment andresponse strategy. Thiswilfbea 
memo that we pass on to WH leadership .as well, fy t for internal use only. 

3. 1 will also reach outtd Alex Karp today to let him bnowthat we would Ipye to speak.With hlril about cybd' and 
the Marketplace- we should do a confidential, ewe crf'alence consult wlfo him after we've had our meeting as 
per fE«rv 1, not before; J'!l set th Is up at the appropriate mom^t. 

Does this sound p3ol to you? 

fhanksi. 

tbdd"'' ■ ‘ ^ ‘ '■ ■ 


Park;tbdd • 

Wednesday, August 28, 2013 ft45 AM 
T renkle, Tony (CM^OIS) 

mlcheiieisnydeTjllllllllil^^ Dawn M.; Graubard, VVian 
Cyber next steps 


1 
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From: 

Sent 

To: 

Cc; 

Subject 


radd 

Yes, tJiis is consistent with whaf we discussed ^'es^rday, locking in frank Teresa. 
Michelle 

I assumethat we should have.Henry there as weik. , 


Hi Ton^i, |U54 spoke with Midnelle; and she thinks our ganre'frfan makes sense, with scWitlonsr 

1. We should.convene a work session 'in the next week with you, Teresa, Frank Baitman; tils 050^ ar?d probablya 
DHS i^rsonand DOJ person (ste was thinking someone who has experience goingafter cybeirattackers}, plus' 
an/pth^fpjksypuwanttphaveth^e todrsci^howtbprcrtpcttfie.Marketplacefromcybefatteck, This 
woufdlnidude a discussion, of bur defenses, the thieals, and .our responses totbe threats.- I wouid.afisolutdy 
love to he part of as mtjdi of this meeting 'asl canj but also don'twant to bea'sdi'^uJIngbpttlenecki aridit 
shpuldreally happen sooner rather than later looping .Oajvn and VIv to beip my schedule.. Ybii ^.puitfgo 
aheadar)d;s.chedulgthe'm6etlng,.andiWU!tfVtobe:^ere^rasniuch.of irasl possibly pB'nIi 

2^ Ypu/TsfEsa can the.n prepare.a memo (coufd.be for Mididle^ for JVi’ariiyni for other? that outlfhaf 

ba'ricaify Qudines the protection strat^, Inctudlhg threat a^ei^ent.a nd response strategy. This wHI be a 
metno ^at we pass on to WH leadership as well^ fyi ' for ihterfial.use only. 

3- j wfn 'also reach out to Alex Karp today to, let him know that we would love tospeak With him about cyber and 
ihe.Marketplace - we should do .a confidently cpng of silenpe.cbnsu, It with him a,fter\^' vp^^^^ our meeting as 
per item 2, not before; Fll set this up at the appropriate momept 

Does this sound cool to you? 

Thanks! 


Senb. 

rb:Treny%:Twiy(^^IS> . . 

Cci Snyder, mms (CMS^); Mielk^ Dawn M. <| 


>;.Graubard,yiviOT- 


Stibfect: 


- Trenkle. Tony 
Wednesday, Augud 28, 2033 
Park,Todd 

Snjdep Michelle DaVm M:; Gfoubard, Vivtan; Baitman, Frank 

(OS/A WOOD); Fryer, Teresa Kfe 
Re: Cyber next steps 
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From: 

Sent 

To; 

Co, 

Subject 


Trenfde, To ny (CWS/OiS) < 

Wednesday, August 28, 2013 -5:44 PM 
Park, Todd 

Snydac MidieHe Dawn MjCraiibard, Vivian; Battman, Frank 


(OS/ASA/Oap) 

RE: Cyber n©(t steps 


Todd* - 

We ars looking at ssttjng up a calt/meetingfor next Wednesday morning at 10. { jiist spoke with Frank and that works 
for him. Teresa is already working with Kevin on piJRng Information together. Ill ask niy scheduler to work with Dawn 
andViv. 


jFrotn: Todd [n;ig!|oj|||B|||||^^ 

Sa>t: Wednesday^ August 28^ 2013 9:45 AM 
Tffi trenlde, Tony (PM$/6 iS) 

Cg Snyder^ Mfchelte (GMS/OA); Mieike, Dawn M.; Graubard, Vivian 
Subject: Cyba- fie:d:^?s. 

Hi Tony, just spoke with Michelle; and she thinks ourgame plan rhakfis sen^; wMl addibonSs 

1. We should oonvene a wodc session In the next weekyflth yoUj Teresa, frapk Battman; Hs CISO, and probably a 
DHSperson and DOi person (she was thinking someone whp has ejqjeijence.going-after cyberattadcers ), plus 
any otIiCTfolte you want to have there to discuss how to protect the Marketplace from cyberattack, T^ts 
would Inciudea di^ssionofourdefense^the tiireats, and our responsestoTbe threats. I vyould. absolutely 
love to be part of as Tnu ch of this meeting as I can, but also don't want tp be a l?ch.edyTlhg botdehfeck, and It. 
should really happen sooner rather than later looping Dawn and'Viv to help with my schedule, Vpy should go 
aheadands’chedulethemeetih&andlwHItrytobetfierefor^' much'ofitaslpossiblycanl 

2., YoM/reresa canthen prepare a memo (could befor Michele* for Manlyn, forothers we?il figure that out) that, 
basically duaines the protection strategy, Induding Arert ass essment and. response strata^. This will be a 
memo that we pass oh to WH leadership as wfell/lVi - - 

3. I'will also reach out toAfek Karp today to let him knowthatWe would Jove tqspeak.With him.abdut^berintf 
thaMarketf^ace — we should do, a confid^daV coneof sil.ence. consult with him after we've hadourmeetins^- 
per Item 1, not before; I'll set this up at the appropriatti moment. 

Does this sound cool to you? 

Thahksl 

Todd 
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From; Farfcitpdcl- 

Sent Wedn^isy, Augustus, 2013 S;4S PW 

To‘ Trenkl^-Tony 

Cc Snyder^ Middle (t^iWS/OA); M'elte, Dawn Graubard, Vf/ian; Baiimari, Frank 

(OS/ASVOaP); KhaSd, Afyana C {O^S/OA}' 

Subject RE: Cyber next steps 


Twiy, great, thank you, (poping Aryana as well 

Might it beat an hurnariypo^'bfe to set up die meeUng/caS to happen between 1 and 4 pm on Wednesday?; if that is 

not possible, I can tryto figjre something out, but just tbou^t I'd diecfc © 

Arysna'and! were also just In a rneeting where we got some additional inaght that Is helpfut; 

• There Is a cyber andACA subcornmittee heannghapp^'ng ctfi Septehiberlt, so if prefeably makes sense to 
target putting together a memo by endof next week {and talking with AJexterp by.endofhe>d; week, to help 
infbmi them ana wffltrytosetuptimBwfthhlmfor'Ihursday.tfieSth): 

• It sounds like folks would like the memo to our preparation fpr^ defenses agamstcyberattack, {2) 

whatwouid.ourresponse/action be if an attaclb^crisis happened, and {3j how would we pro^cute 
attackers. The roster forthe meetirig MIdiefle recommended {to inctude. OHS and also DOJ to handle the 
prosecute part) sounds spot on. 

• Potentially fcTlncorporatiofi in the memo: ©(temsivah'ciatorswhocouJdspeakto the quality and ^Arerigth of 
CMS Q'beitfefenses^ should that fcmxrie usehJl. AtexX^p.cou|d be oney but mi^t you, have othere well? 

The memo is again fcT internal eyes only, but ftsdimds fikd pe^te waS diatvfro m rt In apprqpriateyrays foreitfernai 

conmudicationspurposes as well 

Thanks! 

Todd 


Se Vftiln^ay, 

TO! Parifj Todd 

Cc Sr^eTi Mfchdte (C^/PA)j Mielke^ Dawn K;' Gra'ubard, V^an,' ^ania Frank (psyASA/OCIO) 

Sub|«tr RE: 'Cyber liextstef^ ' 

Todd,. 

We'are iooRingatsettingupacall/fneetingfdr next Wednesday momlngatlO. i just^oKe with Frank and that works 
for him. Teresa.is already wodttngwrtb Kevin on pu ilinglnforinatjon togetfier, .Hi askmy scheduler to work vvlth Dawn 
andVIv. 


To; Trenkte, Tony (CHS/dlS) 

Cc Snydstf MjchelfeX^S/OA); Mi^ire^ Davwi M.j (Jraubard^ Wian 
Sutgacfc Cyber; ne?^ steps 

HI Tony, just spoke with Michene, and she thinks our gams plan makes sense, with additions: 
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1. We should convene a work session in the next week with you, Teresa, Frank Bait man, his C!SO;and probably a 
DHS person and DOJ person {she was thi'nidngsomeone v/Ho has experience going after cyberattackers}, plus 
any other folks you want to have there to discuss hew to protect the Marketplace from cyberattack. This 
would include a discussion of our defenses,thethreats, and pur responses to the threats. I would absolutely 
love to be part of as much of this meeting as I can, but also don't want to be a scheduling bottleneck, and it 
should really happen sooner rather than later , looping Dawn and Viv to help with my schedule. You should go 
ahead and schedule the meeting, and I will try to be there for as much of it as I possibly can! 

2. You/Teresa can then prepare a memo (could be for Michelle, for Marilyn, for others we'l! figure that out) that 
basically outlines the protection strategy. Including threat assessment and response strategy. This will be a 
memo that we pass on to WH leadership as well, fyl forinternal use only. . 

3. ! will also reach out to Alex Karp today to let him know that we would love to speak with him about cyber and 
the Marketplace - we should do a confidential, cone of silence consult with him after we've had our meeting as 
per item 1, not before; I'll set t his up at the appropriate moment. 

Does this sound cool to you? 

Thanks!; 

Todd 


2 
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From: 

Trenkle,: tony 

Sent 

Wednesday, August 28, 2013 7:01 PM ' 

To; 

Park, Todd 

Cc 

Snyden Michelle (CMS70A^ Miefi:e, Dawn M.;. Graubard, VVIari; Baitrnan, Frank 
(OS/ASA/OdO); Khag'd, Aiyana C (CMS/OA)! 

Subject 

Re: Cyber next steps 


Frank 


Your call. I can move ^ings around but! thoughtypy were fiedup 


From: Pari^ Todd fmaittol 

Sent Wedn^ay, Augist 7B, 2013 C^:44 PM 

To:Tr€nMe,T(xiy(aC/OIS)' 

C te: Snydef/ Mich^e{CM^OA); M^ ke^ Dawn M. Graubard, VMan 

BaHman, Frank (OS/ASA/oaO); Khalid, Aryana G. CTM5/OA) 

SubJectrJRE Cyb^ next steps 


Tony^ great, thank you, looping Aryana as vi«IL 

Might it beat ^1 humar^ possible to set up the meebng/caM to happen between 1 and 4- pm on Wednesday? If that Is 
not possible, I can try to figure something out, but just thought fd ^edc © 

Aryana andi were also just In a meeting where we got some additional insight that Is hslpf uh- 


• There is a cyber and ACA subcommittee hearing happerwng oii September 11, so it probably makes sense to 
target putting tpgetoer a memo by end of next week (and talking with /y ex Karp by endpf next vyeek to help 
Inform tJle memo will try. to set up time, with him for Thursday .toe 5th) 

• (t sounds like folks would like the mernp to cover-(l) our preparadon for and.defens^ against cyberattack, (2) 
what would our response/action be-if an attack/ai^s happened, and (3) how would we prosecute 
attackers- The roster for the meeting Michelle recommended (to jndude DUS and also CKDJ to handle the 
pros«ute part) sounds spot oru 

• Potentially for incorporation in the memo: external validators who could speak tothe quality and strefigth of 
CMS cyberd^enses, should tost become useful. Alex Karp, could be one, but rhlght you have others as, well? 

The memo is again for interna! eyes only, but It sounds like people wail draw from it in appropriate ways for external 

communications purposes as well 

Thanks! 

Todd 


From; Tr^lde> Tony (CMS/OIS) 

Seit Weifoeiay, August 2&, 2013 5:44 PM 
To; Parfo Todd 

Cc Snyder, Michdte (CMS/OA); Mielke, Dawn M.; Graubarti, Vivian; Baitman, Frank (OS/AS/yoCIO) 
Sutgect: F£: next ^ps 

Tpdd, 


1 
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We are fCM?klng at settingup a carf/meetirigfbrn^tVV^dnesdaymomlngat IQ. I|ust spoke wth Fr^kand ttial.works 
for hSfh. T^esa Is already working with Kevin on pdfinglnfocmallori togettier. ril ask my sidieduler to work with Dawn 
andV'iw' 


Parkf Todkl {rna^jllllllllllllll^^ 

Sait Wecinesdsy, Aiigu^ 28, 2013 9:45 AM 
To; Trehfdey Tony {GM^OIS>‘ 

Cc; Snyder, Mididfe (C^/pA); Mi^e, C^vyn M.; Graubard, MMcsi 
Stitdeci: Qd)er nextst^ 

HI Tony, Just spoke with MIchelfe, and she thinks our game pian.makes sense, with additions: 

1. We should convene a work se^ion in the oert week witti you, Teresa, Frank Baihnani his CISC, and probably a 
DHS person and DCQ persc«i (she was thinking someone who has e xperience going after cyberattackers), plas 
any-otherfolksyou want to have there todiscusshowtoprotectttieiWarketpIacelromcyberattack,- This 
would include a discusionofou.r defense^ the threat^ aj^ourresponsestotheihreatt.- I wouidabSolutely 
love to be part of as much of this meeting as I can, birt ^so don^t want to bea Sch^uling faOttieneck, and it 
should realiy happen sooner rather than later foopingOawnandVrvtoheip with myschedule, Youshoufdgo 
ahead and schedule the meetfng, and I vmiltty to be therefor asmuch of It asi possifajycanl, 

2. You/teresa ca n then prepare a memo {could be for Michelle, for Marilyn, for others : we"ii figure that duty that 
basicaRyoutiinestheprotecdohstrategy ihdudingthreatassessmentahdresponsesfrate^, Thiswillbea 
memothatwepassontoWHIeadershrpasweH,fyl forlntemal use only. 

3^ I wlii also reach out to Alex ferp today to let Wm knpv/ ^at we would love to speakwitti hfrn about cyber and 
foe Marketplace - we should do a confidential, cone of silence consult . w1fo him aft^ weVehai our meeting as 
per Item 1, not before; ill set this up at the aj^^ropriate moment. 

Does this sound cool to you? : 


Thanksi 

Todd 


2 
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From: 

Sent 

To: 

Cc: 

Subject: 


Bartmaa frank (OSyASA^OCJp)' < 

Wednesday, August .28, 2013 1'^ 

Park^ Todd; Trenkle, Tqhy 

Snyder, Midielfe (CMS/OAXMfefk^ Dawn M; Graubard; VMan; Khalicb Aiyana C. 
(CMS/OA); Charest Kevin p^/AiiV^OaO/OIS) 

Re; Cyber next st^s 



4- Adding Kevin - - : 

Toddetab 

Unforttinately.the Secretary's Leadership Council is next Wed afternoon- and believe we’il have some 5T items on the 
agenda^, so I needto be there, 

i believe we can address our defenses in a balanced manner: It should come as no surprise thatwe e)^ericnce attacks 
and have defenses. But for pubfic faring material, we need to becareful to avoid too many details, and thereby avoid 
providing an Instruction rnanuai or worse, a diallenge to malojntents to engage. 


-Frank 


Frprht <Parfc>, Todd < 

Date; Wednesday, 

To: ‘Trenkie, Tony {CMS/blS}." < 

Cc"Snydef,MKliel!e(a«S/6i^^ 

“Greubard/VivTan" ■ 

J>, •TChaiid, Aiyana G. (Oyis/OAJ**.^ 

Subj&cttRE: ri^ ^eps 


•i.”Mleilc^ pawnlyl*" 


k Frank Baltman 


Tony, great, th.ahkyou, looping Aiyrana aswell. 


Might it beat all humanly possible to setup the meetlng/caK to happen between 1 and 4 pm on Wednesday? if that Is 
rwt posslblej I ran try to figure sdrpething out, birt just thought Td check© 

ArYanaandlwerealsojustfndmeetlngv.'fierewegptsomeadditiOnallnsightthatis helpful : 

• There is a cyb^ and ACA subcommittee: hearing happening on September 11, so. it probably, makes sense to 
target putting together a memo by endof next Week (and talking with /yex Karp by end of ne« week to help 
infiarm the memo wnitry,t9:Setupdmewith.himforthui:sdaythe5thJ 

• it sounds like folks would like the memo to cover (1) our preparation for and defenses against cyberattack, (2) 
what would our response/ action be ff an attack/crisis happ^ed, and (3) how would we prosecute 
attackers. The roster for the meeting Michelle recommended (to IncitJde DHS arid also DOJ to ha ndle the 
prosecute part) sounds spot on. 

• Potentially for incorporation ir\ the memo; external validators who could speak to the quality and .strength of 
, CMS cyberdefenses, should that become useful Ai^ Karp could be one, but might you have others as well? 


The memo is agaln for internal eyes only, txit !t sounds tike peopfe vnil draw from it in appropriate ways for external 
communications purposes as well 


1 
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Tt>anksl 

Todd 


From; Trenkle, Tony (CMS/OIS) f fraHtoj 
Sent: WecSiesday, August 28, 2013 5:44 PM 
To: Park,. Todd 

Cc Snydev Michelle (CMS/OA); Mielke, Dawn M.;, Graubard, Vivian; Baitman, Frank (OS/ASATO O) 
Sutq'ect: RE: Cyber next steps 


Todd, 


We are looking at setdng up a cali/meeting for next Wednesday morning at 10^ 1 just spoke wth Frankand that works 
for him. Teresa is already worldng with Kevin oii pulling mfonnation together. I'll ask my scheduler to work with Dawn 
andVIv. 


From: Park, Todd [rr^^JIIIIIIIIIII^^^IIIIIIIIIIII^^P 
Sen t Wednesday, August 28, 2013 9:45 AM 
To: Tre'nlde,. Tony (CMS/OIS) 

Sriyder, Mfchelie (Cl^/OA); Melke, Dawn M Graubard, Vivian 
Sutqecfc C/fc^next st^s 

HI Tony, Just spoke with Ml'chene, and she thinks our game plan makes sen^ with additions : 

1, We should convene a work sessibni in the nextweekwth you, Teresa, FrankSsitmanihlsDSO, and probably a 
DHS person and DOi perspri (she was thinking someone who has experience going after cyberattackers), plus 
anyotheriblksybu want to have there todiscusshowtoprotecttheMarketplaceftomtybefattack. This 
would ihdude a disoissjon of our <^enses, t hreate, _ar»d our res pond tothethreate;, I Would absolutely 

love to be part of as much of this meeting as! can, but a^do'ntvvanttp beasrfiedulfjiglicitflen^, and S 
shouid really happen soonerrather than later looping i^Wft ahd N^^ ftj help;^th my scfedule. Tdu.shduid go- 
aheadandschedu!ethejmeedn|,^andiwi(I^;tobe.d>erefora5rmjdiof it as.lppssiblycani;:;;;::^^^^ 

-- 2 ^-~You/reresacan themprepare.a memo(c5ou|dbefor44i^dleyfpr-iyian1ynj7fo^hw^’.--we^l(-figitfi^ 

basicaifYOUtnnes'theprotectionstrategy,fnpludlngthfeai;assessm^tardrgsppns^strrtegy. T^iswillbea 
memo thatwe pass on to WH leadership as weir, fyi for Ihternal gse only; 

3*. f ydli al^,.rea<^out.to Alex Karp today to jet him know that, we wpuldJpYe.b s peak with him .^uf cybergDd 
the Marketpface. — we should do a confidential, cone of silence consult with him after WeVe h'adour rheeting as 

per. item.l, not before; I’ll Set this up at the appropriatembinwV 

Does this sound cool toyou? 

ThanksI 

Todd 
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Parki tcxid 

Wednesday, August 28, 2818 7:38 PM 
Baftman,Frank:(OS/ASA/QaO);TrenWe; Tony (O^S/OIS) 

Snj^sr, Michelle {^S/O^MieOce, Cfewn Mlj'Gravbard, '/ivTanj Khalic^ Aiyana C. 
tCM.S/OA); Charest, Kevin 8DS/A^COb/a^^ 

RE: Cyfa^- next steps 

OK/ Will try to call In for a 10 am Wedmeeting and m^e ^at work. And ftank, agree witKyouf points about public- 
facing material. 

Thanks! . 

Todd 


From: 

Sent 

To: 

Cc: 

Subject 


From: pitman, Bank (OS/ASA/pCIO) [mallto: 

Sent W^esday, August 2013 7:24 PM 
To; Park, Todd; Trenkte/ tony (CM^OIS) 

Cc Snyder, MkJidte (C^/OA); f^dks. Dawn M.; Graubard, Wvian; Kballd, Aryana C (CMS/OA); Charest, Kevin 
(fK/ASA/OCiO/OIS) 

&if^ect Re: Cyber next steps 

+ Adding Kdyln 


Toddetaf, 

LiirfoitunatdytbeSecretary’s leadership Council is nextWedaftemopn andbeiieye we'll hayesome JTIternson the 
agenda, so f need to be there. ' 

Ibefteve wecanaddr^iourdefenses in a balanced manner' It should osmeas nosurprise that we ej^rfenceattecks 
and have defences* But for public fadngmatfinalwaneeri to be.rareMtoavoidtoo rhanydetallS/Snd thereby aVbld 
proyiding an'lnslruirtion rnapual or a chafiginge to malcohtentstQ engage. 


•Frank . 


From: <Pa,!k>, Todd < 

Date:, W^h&sday, AUgjS2%205fp^4W^ 

Tck "Trenfcif,T6ny (CMS^^Oisp 

Cc? ^'$nyder,'Michelfe (CMS/O^" 

."t3raubari:^Vl\^n"<_ 

"Khaljd, Aryana C (CMS/OA)'^ < 
Subject REjCyheTne>sst^s; 


tv"Mielke/ Dawn.M/ 


1^, Frank BaibTian. 


Tony, great, thank you, looping /Uyaha aswdL 


Might It be a tail bgma niy possible to up th e mGeting/call tp happen between 1 a nd 4 pm on Wednesday? if that Is 

not possible, I can try tofl^re sorriediingou^ but jua: thought I'd (diedt © 


Aryana and 1 were alspjust In a meeting where we got some additional insight that Is helpful: 
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• There fs si c^fa^.and ACA subcommittee bearkig happeifi^gon Sept^ber 11^ so it probably makes^ sense to 
target putting fogethei' a rnerho ^ end of nextWeek (^d taking -vvlth Alex: Karp by end of ne>t week to help 
inform the m®rio wUl trytQsetuptimewiAhimfbrTtHirsdaytbeSthi 

• It sounds like folks would like the memo to coverall our preparation for and defenses against cyterattack, (2f 
what would 010 * response/actlon be If an attati^al^.happehed, and (3) how would we prosecute 
attackers. The roster for the meeting Mlch^ lecommKided {to Indude DHS and also DOi to handle the 
prosecute part] sounds spot on. 

• Potentially for incorporation in the memo: extem^vatidators who could speak to the quality and strength of 
CMS cyberdefenses^ should that become usefoL A!exKafT3Coufdbe Qne:,butm!ghtyou have others as well? 

The memo is again for internal eyes only, but it ssunds ffl® people wilt, draw from it in appropriate ways for externa! 

communications purposes as well. 

Thanks! 

Todd . - 


From: Trenkle, Tony (CHS/OIS) fmailtoj 
Saifc Wecfaesday, August 2S, 2013 5:-44 PM 
Tot Park, Todd 


Cc Snyder, Mldteile (CMS/dA]; Ml^e, Dawn M>; Graubard, Vivian; Batiman^ Frank (Q5/ASA/0CI 0) 
Sutgect fe Cyber nett steps 


Toddj 


We are looking at setting up a call/meeting for next Wednesday morning at 10, 1 justspoke with Frank and that works 
for him. Teresa is already Working with Kevin on pulling mfoniiation together; I'll ask my scheduler'to work with Dawn 
and VKr, 


Prom: f^rk> Todd fmaHto 
SeMiWednssdayyAugust _ 

T<k Trfenkl^ Tony (CfilS^IS} 

O^rSn^er; (CM^ M:j GrautMnl: Vivian 

SuyecfcCyb^n^ steps 

,H! Tony, justspoke with Michelle, and she thinks our game plan makes sense, with additions: 


L VVe^pW convene a worksesslpn In the nertv^eHwitii you, Teresa, Frank Saltman^ his ClSO,.and prt>!33.hiy ? 
DHS person and (she was thinking som^ne ^"0 has '^en^ce g6jng;aft^.i^ferattal:^^ 

any ocher fbiksvou wantto have there fodlifoti^ hpwto pfotect’the MafketprecsfrOiti iiybeistta^ This 
would Include a dfscussion of ourdefenses, tiie greats, and-our responses to the threato; I'would ^spluteiy 
love to be part:of as much of this meeting as i can, but also cfon^t Want to. a srheduliHg bottleneck, and it: 

should really happen sooner rather ^anl^r loopir^ Dawn a.ndMiy fo Heip myschedufe. You should go 

aheadandschedylethemeetlng/aid.lwlll^tobetiicfeforasmuchofitaslpo^iblycanl . 

2. You/Teresa can'theii pfepar e a.mema (could be for Mkhelfo, for Marilyn,.fdf others . well figure that out) that 
basically outlines the protection strategy. Including ttireat assessment andresponse strategy. This will be a 
memo tiiat we pass on to WH leadership as well, fd for internal use only. 

3L I willalso reach outto Alex Karp todaytolethimkno.vvthatwewouldloveto speak wlthhlm about cyber and 
the Marketplace - we should do a confidential, cone of silence consult with him after we've had our meeting as 
per iteml, not before; I'll set this up atttie aj^ropriatemoment. 

Does this sound cool to you? 
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From: 

Sent 

To: 

Cc 

Subject 


Trenkle, Tony (CMS/CaS <| 

Wednesday, Augustus, 2^33 9i37 


Park, Todd 

Ba'itmah, Frank (OyASA^QC^ S^eb Micelle ((^S/O/i^* Mielke, Dawn M.;<jraubart^ 
Vivian; Khalid, A^na CiCMSii'OAi Oiarest^ K^n (OS/^A/OOD/OIS) 

Re: Cj^er next steps^ 


! think that we all can agree on that Todd, the cal! wn1l follow the outimethat you laid Putin your email and our 
discussion should then drive what we say In the merro. 

On Aug 28/2013,at7:3S FM, ’’Park, Todd” 


OK, will try to call in for a 10 am Wed m eetmg and make that work. And Frank, agree with your points 
about pubiic-fedng material. 


Thanksi 

Todd 


From: Baitman, Frank (OS/AS^OCIO) [n^ntg;||||||||||||[^^ 

Sent: Wednesday, August 28, 2013 7:24 PM 

To: Park^ Todd; Tr^e, Tony (CMS/QIS) . , 

Cc Snyder, Mchdle (CH5/QA); Mie^e, Dawn M.^Graub^, \rtsfenj Kha Rd, Aryaha C (O1S/0A); 

Charest, Kevin (O^ASA/odO/OIS) . 

&ilgecfcR6:<^ber;ne5d;steps 

+ Adding Kevin 


Toddetal, — - - 

Unfortunately the Secretary's Leadership Council is next Wed a:^noon. and believe we‘|l.have'some lT 
items on die agenda, 50 1.need to be there. 


I belleve we can address our defenses Ina balanceclfoanneri it should cbrne^ no sUrpilsethat we , . 

experience' attacks arid have defenses. 8ut,';forpi®^f^hg mafei^1,7wl>fed.'tQb^ 

many details, and thereby ayoid pro vidtng an instructibn inanuai or worse, a.dialfohge.tp malcont^ts to 

engage. 


-Frank 


From; <Fark>, Todd « 

Date: Wednesday, 25/2013 
To; ’'trenkfoi T6ny,(CMS/OiS)”'<| 

^:”$nyde3^ k^eli:{^^ 

b>*Graubani, Vivian’* 

Baitman ^<:||||||||||||||^^ AryanaCl (C{\9S7QA)’'< 

Subjei^ R&^berhext^ps'- 


'Mielke,-C%wn lyi," 


p, Frank 


Tony, great, thank you, looping Atyana as well. 
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Might It be at all humariy posSbIe to set up the meetirig/call to happen between 1 and 4 ptn on 
Wednesday? Iftbat Is not possible, I can tiy^to figure sohjelbingDUb btit just thought I'd check. .© 

Aryana and ! were abo just In a meeting vyhers wegot aonie additiohai insight that is helpful ; 

* There is a cyberandACAsubcommitteeh&ringbappeningiHi September H, so it probably 
makes sense to target putting togetberaibemo by end nf next week (and talking with Alex Karp 
by and of next week to help inform the.memo. wiS! try to set up time with him, for Thursday 
the 5 th,) 

• It sounds like folks would ®e.the memo to cover, (l) our preparation for and defenses against 
cyberattaclg (2) what would burrespohse/actibn be if an atteck/ciisis happened, and {3)' how 
would we prbseoJte attadters, Tbe'iDster for the meetinfMIdieife recommefided (to include- 
DHS and also OOJ tb handle the prosecute part) .sounds spot on. 

» Potentially for incorporation in the merrio: ; extenrtal yafidators who cbuld speak to the quafity 
and strength of CMS'cyberdefenses, dioutd that faecorne useful, Afex Karp could be one, but 
might you have others .as well ? 

The memo is again for interna! eyes pniy, but it sounds like people will draw from It in appropriate ways 
for external communications purposes as well. 


Thanks! 

Todd 


From: trenWe, Tony (CMS/OiS) r rnailto:| 
Sent; WeiSl^by, Au^st 28) 2013 5:44 PM 
To; Party Todd 


Cg Srtyder, Michelte (CHS/OA); Mlelk^ Dawn M.; Graubard, Vivfen; Baitman, fT^t05/ASVOCIO) 
Subject; RE Cyber next steps 


Todd, 


We are looking at setting up a caii/rneeting for next Wednesday momfng at 10, I'justsppkfo with Frank 
and that worlcs for him. Teresa isalr^dy working with Kekin on pulling infoirtiatfon together, ■ flfaskrny 
scheduler to work with.D'awnand Vnr. 


From; Park, Todd 

Sent; Wednasd3y,Augost 28, 2013 9:45 AM 

TbiTfmkfe,Tbny:tpi§OIS)'- , 

Cc: Snyder, Michdie (CMS/OA); Mielke, Dawn Mi; Graubarct Viviari 

Subjert: Cyber next .steps 

HlTony, just spoke with Micheiie, and she thinks our game pian makes sense, with additions :■ 

1. Weshdtit.d{Sinvenea,wo!icsesSipninthanextweekw!th.you, Teresa, FrankBaitman, his aso, 
end probaWy a OHS person .and b.pl. person (she was thinking someone w ho has experience 
going after cyfaerattackers), plus any.otiier folks you want to have there to discuss how to 
protect the Marketplace from: cyberattacte This vwufd fnc'udea discussfon of our defenses, the 
threats, and our responses to thetbreats. Iwoufd absolutelyfovetobepartofasmuchofthis 
meeting as l ean, but also don't want to beasdseduBng botdeneck; and it should realfy happen 
sooner, rather than later looping Dawn and Vjv to hefo.Wth my schedule. You should go ahead 
and schedule ifie meeting, .and ! will try to betfiere for as.rn.u.ch of it as.I Rpssib.ly.canl 
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2, You/Teresa can then prepare a memo (could be for Michelle, for Marilyn, for others we'll 
figure that out) that basically outlines the protection strategy. Including threat asse ssment and 
response strategy. This will be a memo that we pass onto WH leadership as well, fyi for 
Internal use only. 

3. I will also reach out to Alex Karp today to let him know that we would love to speak with him 
about cyber and the Marketplace — we should dp a confidential; cone of silence consult with 
him after we've had our meeting as per item 1 , not before; 111 set this up at the appropriate 
momenL- 

Does this sound cool to you? 

Thanks! 

Todd 
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From* 

S^nt: 

To: 

Cc.- 

Subject; 


Par)!vTodd 

Wednesday, AUgu^3,20133':40.PM 

'tonytrenkJejjjjjlllllll^^^lflll^ 

'&ank.ba!tmanBHHIb 

V'rvian; 

Re Cyb er next steps 


’^c^'^^nyder HHHjjjl 
Hjlllllllfl ’Jt^tnCbamstl 


f;:Misifce, Dawn M.; Graufaard, 


Terriflt; Tony, thanks^ looking forward to Itf 
Todd 


From: Tr^kle^ Tony (CMS/OXS). 

SCTt.Wedri^cpy, AugiistlS, 2013 09:37 PM 

To: Pat^ Tfdd 

Cc: rnnkjOSim^iXl O) <HHHHHHHBr;5riydefv NSche|e.(CMS/OA) 

4|||||||[^^ Dawn M/; Grat^iard> iTtviari^ KhaSd> Ar^paC. (CMS/Q Aj 

diarest, K^in (OS/AS^odO/C^) 

,^ltiasd:LRetQb&i3extst^s_-..._ ... 

I think that we all can agree on that Todd, the call will follow the outline that you laid out in ycxji: eman and our 
discussion shouldtfien drive what we say in the rnernd. 

On Aug28', 2013,3t7:38 PM/Park, Todd-' wrote: 

DK,wiy try to c^lmfora 10 ^Wed meetingahd m£ice that tf^rk. And Frank, agreswith your points 
about puhlic-feangrnaterial. 


B^itinarii Frank (O^AS^OQO) IiililojHHHHHHHi 
Sent; W^diie^ay/ August 28^ 2gi3 7:24 PM 
to: Tony (C^ 

Mi^ Dawn M.; Gaubard, Vrviari; KhaDd, Aryana C (CM5/0A)} 

CteP^; {Q^ASAA^dW 
Re: C^r’ steps 

+ ^adding Kevin 


Toddet’al, 


Unfortunately the Secretery's leadership ODuncll Is next Wed afternocyi and believe we’ll havesome IT 
Items oh, the agenda, so I need to be diere. 

i believe we can address our defenses In a lalanced manned it should come as no surpiise that we 
experience attacte and have defen^> But, for pubBc:^ngmateffet we need to be careful to avoid too 
many details, and thereby avoid providing an instru ebon manual or v/pr», a challenge to rhalcorrtesits to 
engage. 
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- Frank 


From: <Pafk>, Todd 

Date; Wednesday, August 2013, S;44.PM 

To; hfrenfcfe.Tony 

te "Snyder, pavm M.” . 

1 >,."6faubafd, Vivian' 

Baitman <m|||||||||m^^^, "kTialid, Aiyaoa C.{(!MS/pA)’'<] 

Subject: RE; Cyber next stdps 


Kffank 


Tony, great, thank you, looping Aryana as welL, 


Might it be at all fiumanty possible to set up the meeting/TcaB to happen between 1 and 4 pm on 
Wednesday? If that is notposdbre, ! can try to figure something out, but just thought I'd ch.eck © 

Aryana and 1 were also just in a meeting where we gotsome addftibnal insight that I's.hetpfu! 


• There is a cyberandACAsubcommittEehearinghappeningon September 11, SO. it probably 
makes sense to, target putting togetheramemo by end of next we^ (and. talking with pjex Karp 
by end, of next weeSt to h^p inform the memo wall try to.set tip tiriie With him for Thursday 
the 5th) 

• It sounds like folks, woitfd like the memo to cover (1) our preparation for and defenses against 
cyberattack, (2) what would our response/action be.if an attack/crisis happened, shd (3) how, 
would we prosecute attackers. Therosta-fprthe meeting Michelle recommended (to Include 
DHS and also DOT to handle the prosecute part) sounds spot on. 

» Potentially for incorporation in the memo; external validators who ,puld speak to the quaiity 
and strength' of CMS.cyfaerdefenses, should, that become useful. Mex Karp could be one, but 
might Ypu have others as wetf? 

The memo is again for interna! eyes onfy, but it sounds like people wiii draw-from it in appropriate ways 

forextemai communications purposes as well 

Thanks! 

Todd 


From; Trentde, Tony (CMS/blS) [.mai|tq;^^H|j||||||||||||||0 
Sent; Wednsday,. August 28, 2013 5:44 PH. 

To: Parld Todd 

Cg Snyder, Hichelie (CMS/OA); Mielk^ Dawn M.; Graubard, Vivian; Baitman) Frank (OS/ASA/OCIO) 
Subject: RE: CVber next deps, 

Todd, 


We are looking at setting up a caH/rheetiiig.for next Wednesday mornTrig at 10. i )usf spoke with Frank 
and thatworks forhim, Teresa Is already working with Kevin on pulling informatipn together. Til ask my 
scheduler to work with Dawn arid Viv, 


From: Park, Todd (o 
Sent: Wednesday, August 28, 2013 9:45 AH 
To: Trenkie, Tony (CMS/OlS) 
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Cc: Snyder, Michelle (CMS/OA); Mielke, Dawn M.; Graubard, Vivian . . 

Subject: Cyber next steps 

Hi Tony, just spoke with Michelle, and she thinks our game plan makes sense, with additions : 

1. We should convene a work session in the next week with you, Teresa, Frank Baitman, his CISO, 
and probably a DHS person and OOJ person (she was t hinking someone who has experience 
going after cyberattackers), plus any otherfolks you wantto have there to discuss how to 
protect the Marketplace from cyberattack. This would include a discussion bfbur defenses, the 
threats, and biir responses to th e threats. I would absolutely loVe to be part of as mUch of this 
meeting as I can, but also don’t want to be a scheduling bottleneck, and it should really happen 
sooner ratherthan later looping Dawn and VIvto help with my schedule. You should go ahead 
and schedule the meeting, and I will try to be there for as much of It as I possibly can! 

2. You/Teresa can then prepare a memo (could be for Michelle, for Marilyn, for others we'll 
figure that out) that basically outlines the protection strategy, ind uding threat assessment and 
response strategy. This will be a memo that we pass on to WH leadership as well, fyl for 
internal use only. 

3. I will also reach out to Alex Karp today to let him know that we would love to speak with him 
about cyber and the Marketplace — we should do a confidential, cone of silence consult with 
him after we'ye had our meeting as per item 1, not before; I’ll set this up at the appropriate 


Does this sound cool to you ? 

Thanks! 

Todd ■ 
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From: 

Sent 

To: 


Subject: 




SIsket Edward 

Thursday, Augu^ 29, 2013 U:13 AM ^ V' : 

Dotzef, P^gy faHBH y T 

Jennings, ChrisfopheR Lambrew, Jeannej.McGutnnesSrTara; Leinwand, Jessica; Suvor, 
Daniel; Pa rkj Todd' 

Follow up (terns 


Thanis again for participating in Yesterday’s meeting and for ?H the work you have been doln| to help protect 
consumers during the rpH-out of the M^ke^laces... telowis.a list of do-ouKfrom the meeting ba^.d.on , my. 
notes. Please let me know if I am missing anvthingorif you have any questions. We wlli reconverie the group next 
week and idealiy will have made substantial progress on each of these items by dieh^ Also, I only have email addresses 
for a fevvof the partfdpants in yesterday's m^Gng, so please forward Siisoh to the other represbntatlv'es from your 
agendes. 


• HHS, HHS OIG and FTC will finalize procedures for referral of consumer fraud aimplaints through the call center, 
HHS OIG line, and online (training material for curators; protocol for live transfers when caller elects; links to 
FTC website from healthcare.gov and the HHSOIG website), 

• HHS and FTC will develop (1) training materials for state -run exchanges to use ih their call centers;.and (2) a link 

to be providedtothestate-run exchangestouseontheirwebsites, ‘ J 

• FTCM!:devei6p3neasv"hovyto" documentthata^temshowtoTegtstera complaint (including useofdrop- 
dbwn menu). 

• FTC/CMS will follow up with Vicki to incorporate tfie public education mater iais that HH5 OIG has started to 
create to develop educational material to amsumers who re lister a complaint 

• FrCwiiUddtoDOJ's"trackrecord"documentDrcresteaparallelversion. 

• HHS will condnue to , refine fact sheets and public educsdon materials and tirculate to thegro.up: 

• All agerides will, explore outside validators who can speak to the .relevant (public education/putreach,. 

Intake process, value of fentinet prpsecadon, etc). 

Thanks, Ed 


1 


OSTPACA0007711 




Audio conferenca information 


1 ^Plaas^giyh^folto^ng number 

2 . Folfow^^^SIBR you hearortth^hohei 
Vour Web^ Meeting Number; ^^|^|||||M 
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From 

Sent 

To: 

Cc 


Subject: 


H! Q\ns, here 5re cyberseairity background pc^htsfc^ |||||||||||[|||||||||||||||^^ The first three are the 

points CMS put together prevfousfy which Tm sure ypuVe already they are fc^Jowed bya rouple of poirits about: 
next steps currently underway. Please let us know if y£»j Irave any questions.. I'll be on a long flight for much of Tuesday 
-- am looping Tony .{CMS QO), FrankBaitman |HHS QO), Michelle^ arid Aryana,.who can answer any questbhs you have 
that might arise. 

~ The Centers for Medicare and Medicaid Services tCMS) haj rnaffitained a stronghistory of preventing major breaches 
involving the tess.of personaflyjtfentitiable infbnhatwnfrom -at^dcs. CMShasIn pjacs established risk 
management, security con trots ass^sment, and securi^ authonzatkin processes for all CMS systems. These controls 
meet dr ^eed e>astlng Federal standards. 

- CMS has been an Innovator leader in tbeinfbnnat.bo security cojhrnurutythrpugh foe use of state of the art 
conftlnudus monitoring tools that remotely scan the IT asse^ of GMSsyst^s to ensure baseline configurations are up' to, 
date and aMopli^tand that deviations are quickly idertSed and mitigated. AdditipnallY these technologies have the 
capability to. d^ct unkno vm or cogue hosts which are quiddy identified and Islwkefo Penetration testing is also 
performed on alt CMS systems to l.denii^yulner^iGties and reduce of eliminate potential risks frofo external tiireats. 

- The rrsystems that are befhgoreated for the Marketplace Wi8 meet or exceed e?d^ing federal security standards and 
will utlllzestateof theart,manrt6rlngandsar^il!anitetoqlSi;;C^4alsQw6T^ngPfos€)y Wifoti^’ando 

private sector security experts to get additionaj techni cal support for the Marketplace prc^ram/ 

“ Ton¥TTenHfi(£M5'ap) is corivenihg a session fi^;V4fedrte.5d.ay,.Sepi:4^wifo CMS, 

(1) our preparationfor and defenses agsiinstcy^e’rattack, (2).what our resporise/actToi] would ixs.lri tHp event of an- 
attack/crlsls; and (^) how we would prosecute ^attackers. eMS.will th^' produce a meffio surrutiariilhg th e eboVe ^ the 
end ctf foe week; 

- Asanfyl, we have also reached out to Alex Karp and team. Alex put tis in tdijch with his top . d yber expefts — We are - 
slated to speak with them on Wednesday as well. 

Chris, again, please let uS know If you Have any questionsl 

the best, 

Todd 


Park, Todd 

Monday, September 02, 2013 12^32 PM 
Jennings, Christopher . 

Lambrew, Jeanne; Joiies, Isabrf;:’A/y3ria.lfoalld| 
'M)chd1e.5nyder||||||B||||im:^ter^.trenk{e | 
Graubard, Vrvlari 
Cybersecurfty pointe 


I ’frankialtman I 
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From; 

Sent 

To; 

Cc; 

Subject 


Ffi Tony and FranJd AcoupJeoffollow-upstomyemailtoOnisbefow: 

1 Just wanted to make sure we're goingto feve OHS and OOJ folks on the 10 am cal! oh Wed, as per our orl^'nal 

plan? 

2. it looks likethecall with Alex Karp’s top cyber folks wHl be 4 pm on Wednesday -.Toiiy,canyou|oin this Call? Fed 
free to have others jdn as wef!. Frank, 3 think you may be in a but if you can join as well, that would be terrific,,^ . 

The agenda would be to (in confidence) discuss our cyber positfoning and plansand get their thoughts- DawnA^iv, can 
you make sure Tony/Frankare invited? Thanks! - 

Cheers, 

Todd 


Parle todd 

Monday, Septembert3i2,2bl3 1210 PM . 

'tony.frenkl^lllllllllllll^^ 

‘Michelte-SnyderMHHHI IHrauBard, VMan; Mielke> dawn M. 
A couple of folloW'Ups ' - ' •. . i.;- 


— Ongsnat Message 
From; Todd - . 

Monday, Septernber02, ^13 12d)2 PM 
To: Jennings, Christopher . 

Op: lambrew, Jeanr>e;ipr\^ Isab^* 'Aiyana 
’MkheBaSnyde'; 

Subject Cyber^curity points 



;Graubard,Vj^au 


hfi h^e are cybersecurity background points fev are the . 

points put together previously which I’fii sure:ypuVe.already .seenji'^ey are followed, by a. coupjeflf poliits about 
nextsteps currentiy underway. Please let us know if you haveany questions. I'ifbe on 4!on|fJrghtfpriTjucH of Tuesday 
-am loopfogTpny (CMS QOj, Frank Baitman (HHS QO}, Mid)ene,.and An^na, who canansw.erany Questions yoyifi^e- 
that ml^ arise*: 

~ The CenteR forMedicare.and Medicaid Services (Ovi.sj has maint'alned.a5trong hi^ory of preventing major breaches 
involving fte loss of pR'scnaTly Jd entifiable informa^n front c yber*atte(i^ CMS has in piece, esta^ishe^ risk 
management, .securi^ controls assessment, and.secudty authorization processes for at! Ov9S systefos; These controls 
meet or exceed edsting Federal stand arris. 


- CMS has be^ an Innovator leader in the information security comm'unity through the use of state of .the art 
continuous monlkiring took that remotely scan the IT assets-of Cf/i$ sy^ems to ensure baseline configurations are up to 
date and compliant and that deviations are quickly identified mitlg ated. AddJtionally.these technologies have the 

apabilftyto detedrunknown or cogue hosR which are qiuckly identified and blocked.. Penetration .testing Is aisp 
performed on all CMS systemsto identify vulnerabijities and reduce or eliminate potential rrsks from externa! threats. 
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— The IT systems that are being created for the Marketplace wHl meet or exceed existing Federal security standards and 
will utilize state of the art monitoring and surveillance tools. CMS is also working closely with HHS and other public and 
private sector security experts to get additional technical support for the Marketplace program. 

— Tony Trenkle (CMSCiO) Is convening a session next Wednesday^ Sept 4, with CMS, HHS, DHS, DOJ, and me to review 
(1) our preparation for and defenses against cyberattack, (2) what our response/action , would be in the event of an 
attack/crisis, and (3) how we would prosecute attackers, CMS will then produce a memo summarizing the above by the 
end of the week. 

" As an fyi, we have also reached out to AiexKarp and team. Alex put us in touch with his top cyber experts - we are 
slated to speak with them on Wednesday as well. 

Chris, again, please let us know if you have any.questions! , 

All the best, - . 

Todd 
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From: 

Jennings, Christopher 


Sent 

Monday, September 02, 2013 1229 PM 


To: 

Park, Todd 


Cc; 

Lambrew, Jeanne; Jph^ *Ar^a.10^alid |||||||||||^^ 

HHH' ' 


'MichelIe.Snyder|||imi|||||im;-t^.tronide 
Graubard, Vivian 

lllllllllll^^ ^ranlcbaltman 

Subject: 

RE: Cyberseairi^ points 



Okt thanks Todd.. Quite helpful and wU sen^e as placeholder for 

||||||[|||[||||||^^ We need to have all of this lodged down for September 11^ hearing; We also have to have.Strdng 

message with Justice, FTQHHSand others for our enforcwiient event the week of the l6th. I know we had reference 
somewheretD oirrent federal standards and how they exceed private sector as well as track record of protection from 
attacte. Can you or someone provide that reference-forme to bolster confidence building torhprrow? Thanks rhuch for 
all Andsafeandfuntravefernyffiend. . 

Chris 


— Original Message — 

From.' Parfe< Todd 

Sent: Monday, 5eptember02, 2013 12:02 PM 
To: Jennings, Clyistopher 

Cc: Lambre w, Jgantie; Jong, l^be!; 'Aryana.Kha^JPI||||B||||||| *M>che]le.^der 
‘tonytr^idejlllilllllllllllll^ Vivian 

Object: cybersficu/1^ points 



HI Chris, here are cyber^curity background points for first three are the 

points CiyiSpLft together pifeyfously which I'm sure youVd already se^; they are followed by.a couple of. pohts about, 
next Seps curreridy underway. PIrase let us know: tf you haye any questions. I’ll be ona Tong fij^tformucb .of Tuesday 
-am looping Tony.CCMS ^®)^ Baitman (WfS 00)> Midielie, and Aryana, who can answer any queafons you have 
that might a^e; 

The Centers for Medicare , and Medicaid Services (CMS) has; maintained a st rung hlstoiy of preventing rriajpf breaches: 

Involving thelps-Of.per^naByJdentiflable information ^tncyb^i-attecks., C^'ha5lbpiacf;g4^b^^5fi'^ 

management, secu.rity controls assessment end security authorizah'on processes fpr all CMS ^sterns; These controls 
meet dr exceed existing F^eral standards. 

- CMS has, been an. innovator leader In the mfotmatton security community through tiie use 6h state pf the, art 
continuous rhdnltorthg tools that remotely scan the IT assets of CMS Systems to ensure baseline tonfguratlpntard up to 
date and compUantand that .deylatlQnsare quickly identified and mitigated. Additionally these technologies have thS; 
capabliitY to.deteis unJ^own or rogue hosts whicdi are quickly identified andblocked;- Penetration testing is also 
performed on all CMS systems to identifyvulnerabnities and reckice or eliminate potential risks frdrh external threats. 

- The IT ^sterns that are being created for the Marketplace wiD meet or exceed existing Federal security standards and 
will utilize state ofthe art monitoring and surveillance toolsL CMSisalsoworklngclosely withHHSand other publicand 
private sector security experts to gstadditionaitechnical support for the Marketplace program. 

- Tony Trenkfe (CMS 00} Is convening a session next Wednesday, Sept 4, with CMS, HHS, DHS, DOJ, and me to review 
fl) ourpreparation for and defenses against cyberattadi, (2) what our responsei^action would be in the event of an 
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attack/crisis, and . (3) how we would prosecute attacke rs. CMS vinll then produce a memo summarizing the above by the 
end of the week. 

— As an fyi, we have also reached out to Alex Karp and team, Al®<put us In touch with his top cyber experts —we are 
slated to speak with them on Wednesday as well. 

Chris, again, please let us know if you have any questions! 

AH the best, 

Todd 
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From: 

Sent 

To: 

Cc: 

Subject 


Bsitman, Frank (OS/ASA/6't2G0> 


Monday; September 02; 2013 121 PM 
P^k, Tpdd; Trehide, Tc^ 

Snyder^ Michelle ^MS/OA); Aryana Q, {Q^S/QA^ Charest Kevin, . 
(OS/AWOGO/OI^; 

RcCyber5ecuri^ points 


Importance:^ 


High 


Looping Kevin into this conversation aswelL 
i think we can come upwith scwiiethlng. 
-Frank 


On 9/2/13 1:14 PM, "Park, Todd" < 



wrote: 


>HI iGiTy, many apologies for interrupting ypur Labor bay, but can ypti 
>hefp Chris wdi his foliow-up question below {reference to "current 
>federa! standards and how tine/ exceed prfvate sector as as track 

>record of protection from atfec3»"}. 1 think the f^eral standards 
>reference.rnay referto federal fwivacy/secu rity standards? AtkI witit 
>respect to track recotd.of protection from attacks, I think a couple of 
>seritencesof addition^ cjKcrtptipn on this front.would be suffident 
>fand again, this Is for interhal purposes, not external comrhuniotion). 
>, 

>||||||^^^^||||||||||||||||||||||||[||m ^ getong d>fis 

wolrfd be.amarlngly helphd, if af all possible ~ mi^tthls be 

>pd^ble7 Th;ar^.tovery niudTi.., 


>T6dd 


> — Origina! Wtessage 
>frD;m: Jennings,. Christopher 
>Sen,C: Monday, September 02, 2013 12:2B PM 
>10; P^ Todd 
> Cc:Umbrew^ feanne? Jones, Is abel; 'Ar^na.Khalfd 
><|||||||||||^[^^ 

'tony.trenklel 

>< dorWtoei^J B||BB[|>': '^nk.ba!tinan 
><j||||||||||||||^^ VMan 

>Sub]ect; 



>Ok, tiianks Todd. Ooito' Helpfui'andwaf setve'as placeholder for. 


We need to have all of this locdced down for Septonber llfo 
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>hearing; we also (lave to have strong message with Jiisflc^ FTC^ HHS and 
xithers fordlirehfordementeveritthe week of the 16th.' (know we had 
>reference somewhere to cu rrerit ^dhral standards^pnd'how.they exceed 
sprhrate sector as well as track record of protection from attacks. Can 
syou or someone provide that reference for me to bolster confidence 
>building tomorrow? Thankstnuchfor a!!. And safe and ftm travels my 
>ffiend. 


> — Original.Message 

>From: Park, Tordd 

>Sent; MdnBay, September 02, 2013 12r02 PM 

>To: Jehrtihgs, Chnstopher 

>Cc: Lambrew, leannEc^^Jones, Isabel; 'Aryana-Khalid 

>'Michelle.Snyder^^^P|[B[|> 'tony.trenkle ||||||||H|H|||; 

sfrank-baitmanHIH; Graubard, Vivian 

sSUb/ect, Cybersecuiity points 

> 

Chris, here are cyberseortfty background points for 
>|[|||||||||[|[||||||||||||||^^ The first three are the points CMS put 

^together pretdouldywhidi rrti sure you've already seen; they are 
>fplIowed bya rxiuple'of points about next steps currently underway;— 
sPiease lelus kriew if you have any questions. I'll be pti a long flight 
sfor much of Tuesday 

>-am,loopingTony (CM'SaO), Frank Baitman (HHS.CIO), Michdie, and 
>Aryariai who can answer any questions you have that mi^t arise. 

!" 

>- TheCenters for Medicate and Medicaid Services (a\1S) has maintained 
>a strong history of preventing major breacties involyingtbe loss of 
>persohallyidentiflable information from cyber -attacks; . CMS has in 
>pbce estabBshedri^ management, security controls assessment, arid, 
>se'curity.authorizattonprocessesfbraBCMSsystems. These controls 
sffieet or exceed e»sting Federal sfenda rd s. 


>- CMS has been an innovator leader in the information security 
>(;qnrim' 4 nity through me use of state of the artqoritiriuous, monitoring 
Koolsthat remotely.scan the IT assets of CMS systems to ensure 
>basellne oc>nfigurations are'up to, date and comp Ila nt and that 
sdeyiatlons .are quicWy identified arid mitigated. Additionally these 
>technoiogle5,;have the capability to d.etect unknown or rrrgue hosts which 
>are puickly Identified arid blocked. Penetration testing is also 
sperfojwed on all CMS systems: to Id entify yulnerabilitiesatidreduca or 
selimlnatepotehtialrisks from Externafthreals. 


>“ The ITsysterriSi that are being created for the Marketplace will.meet 
>or exceed existing Federal seai.ritY standards, and wiil utilize stateof 
>the art mbnitoringand surveillance tdoiS; <MS isalso Working dosely 
>wi!;h HHS and other public and P/ivate sector security experts to get. 
>addifional technical support for the Marketplace program. 

> 

>— Tony TrenMe jCMS QO) is convening a session next.^ednesday. Sept 
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>4, with CMS, HHS, DHS, DOJ, and me to review (1) our preparation for 
>and defenses against cyberattack, (2) what our .response/action would be 
>in the event of an attack/crisis, and (3) how we would prosecute attackers. 
>CMS will then produce a memo summarising the above by the end of the week. 
> 

>- As an fyi, we have also reached out to Alex Karp and team, ^ex 
>put us in touch with his top cyber experts — we are slated to speak 
>with them on Wednesday as well. 

> 

>Chrts, again, please let us know if you have any questions! 

> 

>AII the best, 

>Todd 
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From: 

Park Todd 


Sent . 

Monefey September 0^ 2013.233 PM 


To: 

Jennfrig^ Christopher 


Cc 

Lambrew, Jeann.ecforie^ feabek^.'Aryani^alid HHi 



’Mi(didle5nyderf||||BI|||||||||||;.-*tdry.t^ BBli 
Grautard, V.ivfah . 

[HU ^lank-baitman 

Siit^ect: 

Re Cybersecuri^pcants 



HIChris, 

Tony and Frank will send you today an additional bdlet point(s} re^rding how the Federal Information Security 
fiifenagement Art {FISMA] and other legislation sjreaficto Federal prides has CMS arid other agendas adhere to higher 
rtandards and go through a more rigorous level of assessmentthan is typical in the priv^e sector. 

Tony and Frank are also pulling together additional Info on bade record of defaidingagainrt attacks, working with their 
info security people - they are tracking folks down today and wiU.seek.tp get you additfonal lrifo by tohight... But If it 
turns out they need until first thing tomorrow morr^rig to get you the ^ack record ‘inifb, would that be OK? 

Todd 


— Original Message — r— 
from: Jennings,. ChristbphQ' 

Sent Monday, Seftfeniber 02, 2013 12;2S .PM 
TofPark^Todd 

Gb: LambPew,,J^no^Joft^, isabei;:‘Aryana,Kh3il£i 
'M^elle;Snyder " 

Sublect Re Cyberaecuri^ points 



'f Graubard, VMan 


Ok,. thanksTodjl Quite helpful and wiil seive as placeholder for j||||||||||HHH||||||HH|||||H|||||^H||H|||||^^ 
IHf^m^llllllllimi W$:need to haye:.a.llof .’fois. locked dpym.-^r'^l^mbei^llth haaf|bs'we^l^h^%td.have;^.ng; 
message wiift Justice FTC, HHS and others forourenfbrcement event week pfth^ 1 li^vy^had^fe^r.enc® 

somevi^ere to current federal sta ndards a nd how they exc^eetf privatepector as Well as track reSbfd of ’prdfertlori from' 
atbeks. Canypuprspmepne provide that reference for metobolsterconfidence building tomorrow?' Thanksmuefi for 
aOv. And safe and fun travels my friend. 


Chris 


— ^Oi%!naJ.Message-r-^ 

From: Park, fpdd 

Sent; Monday^ Septembef.02, 2013 12:02 PM 
To: Jehiiings, Christopher 

0:i lambrew , leyine; Jones, Isabel; ’Aryana^ Khalid BB BBBI ’Mfcheile, Snyder 
'tony:trenk[e|||^y||02|; 'frank.baitman HHilllll Graubard,.Vivian 
Subject: Cyberseoirity points 
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HI Chris/ here are cyt^rsecurlty backgroMnd points fot’ 

points CMS put together previously which i'Insure youVe^alre^y'seen; they are followed a «^p!e of point s about 
nextstepspLlrTenily phdenvay,. Please let us fcnoWff ypu haveahy que^pns; I’li be onalongflfght for much ofTuesday 

- am looping tony (CMS CiO), Frank Baitman (HH5 QO), Mldtelie, and Aryans/ who can answer any questions you have; 
that might arise. 

~ The center for Medicare and Medicaid Services (CMS) has imaintained a strong history of preventing major breaches 
invoTvIngihe lossof personally Identrfjabfe information fromtybff -attacks. CMShasin place established risk 
management, security con trols assessment, and security authorttation processes Ibr ail CMS systems. These controls 
meet dr exceed ewsting Federal standards. 

- CMS has been an innovator leader in the information security community through the use of stete of the art 
continuous monib^ng tools that remotely scanthe ITassetsof CMS systems to ensure basellne configurations are up to 
date and compliaritand that deviations are quickly identtfied ahdmltigated Additjonailythese technologies have the 
Qpabiiity to detect unkno wn or rogue hosts which are quickly identified and blocked. Penetration testing is also 
performed on all CMS systems to identify vulnerabilities and reduce or eliminate potential risks from external threats. 

- The IT systems that are being crea ted for the Marketplace, will meet or exceed existing Fed^af^^uritry standards and 
will utilire statepf the art monitoring and surveillance took. CMS is also woricing dosely vrith HHS and other pubGc and 
private sector security experts, to get additional techni cal suF^ort for the Marke^lars prpgrafn. 

- Tony Trenkie (CMS CIO) Is convening a session neJd Wednesday^ Sept 4, with CMS, HHS, DH5; DOJ, and me to review 

(1) our preparation for and defenses against cyberattaclg (2) what purr^panse/action would be in the event of an 
attack/crisis, and (3) how we would prosecuteattackers* dVlS will then produce a memo summarizlngthGabove by the 
end of the week. ” 

- As an f^, we have also reached out to Alex Karp and team.- Alex put us in toudi with his top c. yber exjKrts — we are 
slated to speak with tbern ort Wednesday as well. 

(Jsrk, again, please let us know if you have any questionsi 

Mittiebest, 

TOdd 
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From: 

Jennings Christopher 


Sent 

Monday, SeptemberO^ 2013 2:43 PM 


To: 

Park, Todd 


Cc; 

Lambrew, Jeanne^fori^^b^ 'AryariaKhatidHHI 



'Mkheil&Snyd erjjjjjH^mUpL-'tbny.trenkle 
Graubard, VMah 

ms ^rnnkbaltman 

Subject: 

RE Cybersecurliy polnis 



Thanks Todd. And thanks Tony and Frank; would appredate having as soon as Is posibfe (with my preference, not 
surpnslngly^. being tonight before my stressful rnomingstarts). Ha\drig said, ^s, I will t^e what i can get When I get it 
with gratitude. 

Chris 


— Original Message — 

From: Park, Todd 

Sent: Monday, September 02; 2013 2rl9 PM 

-fo:-JenningS7Chrl5topber r— 

Cb: UmbreWfJeann.e^Jon^^ Isabel; 'Aryana.Kha!idJHH|HB*^^^^^^hYder BHBHHHI 

^tony.trenlde|HH||||||BHi^ ’^i^^l^-bsitnian Graubard, Vivian 

Subject: Re: Cybersecurlty points 

Hi Chris, 

Tonyaod Frank wlH send you today an additl onal bullet poitit(s) regarding howthefederai information Securtty.- 
Management ^ (FiSM^eiid other legislation specifictof eder^ agendes has CMS and otf^r agendes adhere to higher 
standards,.an.d-go through a more rigorous level of assessment than is t ypical in the private sector. 

Tony and Frank are also bulling together additional info on track record of def^ciing against att^b, working with, their 
Info security people -theyar^trackmg folks down today and will seek to|etYOuadditionalinfi 3 .,byf toni^t;.... ^tlfit 
turns out they heed until First thing tomorrow morning to get you the track reiford info, would that be OK? 

CfieerSj 

Todd 


Original Message 
From: Jennings, Christopher 
Sent; Mqrvday, September 02, 2013 12:28 PM 


To: Paik, Todd 

Cc: Lambrew, Je a.nne;jpn^j,l5a beL**AryanaJCha!ld 

'Miche!ie.Snvder|||HijB 

franlcbaitman 

Stibie.ctKE: cybebecurify points 



j:Gf-aubafd,Vfv!an 


Ok, thanks Jodd- Quite helpful andv/lil serve as placeholderfor I 


We n eed to, have all of this locked down fpr September 11th hearing; we also have to hayestrpng 
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messagewilft Justice^ FTC, HH5gnd others for our ^fbncwj^teveftt the w^k of Uie ISth.T know we had reference 
somevihere to current feder^ standards and hdvvtheyocceed private sector as weti as track record d f protectlbri from 
attack^ Gari you orsbmeorieprdvide that'referencefdrmeltobi^stWconHdence fauildingtorndrrow?- Thanks much for 
all.- And safe and ftjrt travels my friend- 

Chris 

—~Or|gina! Message — . : 

Promt Park, Todd 

Sent MondaY«Septembar02, 2013 12t02 PM 
To: jenningS, Christopher 
Cc: Umbrew, Jeanne; inn©, Isabel; 'Aryana-KhaBd 

’mny.trenk{e||||||||[^^ TranlcbaitmanlBII 

Subject Cyberaecur% points 

Hi Chris, here are cybersecurity background polntsfor HHHHHHHHHHHI The flrat three are the 
points CMS put together prevrously which I'm sure yquVe alreadyse©i; theyare followed by a couple of po,k\^ about; 
next steps currenriy underway. Please let us know if you have any questions, hi .be:on a long fil^t for much of Tuesday 
~ am looping Tony (CMS GO), Frank Battman (HHS GO); Mrchelie, and Aryana; who can arvsV^er any questions you have 
that rnight arise;. 

- The CBntera for Medicare and Medicaid Servic© (CMS) has manteined a' stforig history of preventing major breaches 
involvihgthelossof personallyldentifiableinformationfromcyber-stlsdcs. CMShasInpjace.estaWlshed risk 
management, seoirity cOnfrc^ assecanenb and security authOn'zatipn process© lor all OVIS systems. Thesecontrofe 
meet or exceed ewsting Federal standards. 

~ CMShas been an innovator leader in the Information seamty community through the use of state of the art 
continuous mOTitopng todstHatreimotely ^an the FT assets of CMS interns to ensure baseline tonRguraticf^ afe-Up m 
date and compliant and that devrations are quickly identified and mitfeated. Ad^itional{yth©fiCechnpfogf©.)^«t^ 
capability to detect unkrwwn orrogue hosts which are. qiucklv identified and bi w^fed. pehetratibn^testfng. fs alW 
peribrmeciqn.en CMS^stems to identifyVulnarabillti© and iredUcew eliminate potential ris^ from ei^fhal.tiit^ats,. 

- The IT systems that arebelng created for tiie Marketplace will meetorekceedekisllng Federal security ftandafds and 
will Udflzestate of theart mbnitoring;andsurveil{ance tools; - CM$ is.alsqvypridng dose,lY with HHSarid dthe.r ppblfc 
private sectorsecurltyexpertstoget.additfonaltechnical'supportferthe Marketplace, ?H‘ogram;. 

-vTP.nyJten)i3,e.(a^,$:ClQ)j5Mriv4nihg.a^gssjsniic«Ey^P>s!i^*Sep:t4ywrit^^ 

{1} our preparation for anddefenses against cyberattati, (2) whatourr©ponse/artfon woulibe.ln t he event of an- 
attack/ensis, and(?) how we would prosecute attacker^. CMS wni then produce? memo tumma riimg lheabbv^ by th e 
endof tiieweefc. 

~ As an fykWa have also reached out to Alex Karp arid tearri. Alekputiis in toOch wlth hts iop cyber exp erts:- We ars 
slated to ^eak with, themon Wednesday ss well. 

Chris, a^n> please letus know IfyQu.haveanyquestionsI 

All the best, 

Todd . 


: "MichelleShyder ] 
|;Gfaubard,VjvSan 
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From; 

Sent 

To: 

Cc; 


Subject: 

HI Chris, here are an expanded/updated set of bullet pc^nts frorn Frarik and Tdiiy: 

- Like ail publicfy facing Internet websites, whether Amazon, Bank of America, or Medicare,, we see regular attempts to 
infiltrate and te^ the security of our s^tems. We take -these threats s^lously,. continuously, morirtoririg for 
Inappropriate adivity, arid adjusting ourdefthses accordingly, 

- The Canters for Medicare and. Medicaid Services {£MSj has a hi^iy:of preventing major breaches ‘involving the loss 

of personally identifiable !nfc«-matlon from cyber -attacks. CMS faces unique dralfenges in mauntai ning a strong cyber 
security infrastructure because of its decentralized fT infrastructiffe and heavy dependence on cpn^ctors to periprm 
rnost agency fiinctipns. To d ealwi^ th ese challenges, CMS has establi^ed an In^matton security program with 
consistent i^k management, securrtycontrols assessmeht, andsecurity authorization processes fbrall ente^rise 
systemsrTheseaintycontrals-estafali^ed-and-implementedbyCMSmeet-existing^Federajstandard^ — 

- CMS has implemented a Security Operations Center (SOC) to.provide addrtipnal rnonitorihg capabilities and has been 
an innovative leader in u»ng state of the art continuous monitoring tools, Tttese tools can ferhotely scan the IT assets of 
CMS systems to ensurebaseilne configurations are up to date and compliant and ^at.dcvfatiqns are qulcl^ Identified 
and mitigated:. Additionally these technologies have the capab^lty to detect unknown orrogue hosts which are quickly 
identified and Woqkeil. CMS has also implemented a penefr^on testkig program to scan CMS^sy^tems to ideritIV 
vulnffl’abiiities.and reducepr eliminate potential risks from extomaJ threats. 

- IT^ecurity forthe Marketpiace presents additional challenges, because of short timeJineSfhlghvisIblRty^.mLiltlplb 

Federal and tidp'Federal, partners, and rv^ complexsystems being built to Suppprtthe <^5' inform^o n. . 

securi'^ staff have been wooing dpsefy With if developmentteams-to help ensure that all required securi^ testing Is 
completed* Test resists will then be reviewed by security staff; whCT the results are determined td'faeaGC^able^ an. 
AutiiQrity;ti) Operate (AfO) win . be issued* The ATQ is. sigfted by both *e CM$ Oiief InFormatioAO^ (C!0):ahd the 

chief infwmation Security Officer {QSO]* 

~ CMS is wbrldrig to ensure thatall security testing Is completed and ATOsaresi^ed.bEfore October h Asigned ATO- 
signffi,esthetthesys^msete.,opdrating:atari.acteptablejevel.pfiriskiaridwi!j.meetti?ugh,Ffider3jg^^ . . 
standar£is.OncetHeMartetp(ace.opens,GMSwill ,utili 2 e,statectfthe art mohltoilng and surveillance tools to beabje to 
■quickly’detedtandddalwfth poteritial threats, CMS aisp vifCM'Whgdosely with HH5 and dtheripublidandiDriv^fesedtof 
securlty^.exparts to get additional technical support fPrthe Market place program. 

- The Us. aandard for deigning the intormation secu.rity program and responding tO; asspclated threats has .been 
developed by the N^pnal rristitpte for Standards and Technology in support of tile Federal Inforrtiatlqn Security 
ManagementAct. FlS^has emerged as the gold. rtandard fPr infomiatlpn seajri^ stiindardsand guidelines acro^ the 
globe. 

- OiyiB has mandated the use of NIST standards for: all federal aVlli^;agenaes,..iricludlrig HHS. flHS has developed a 
robust informati'on security p rpgram acrp^ all its operating divi^ons to ensure tiiat the.informatfcn security 
posture is robust and, responsive to emerging threats. Working with tiie.US -C£RT at the Depariment of Homeland 
Security, HHSensuresthattf^ets to ihfbifnation.asselsand rietwbiksare addres^d and m.ltigated asrapidjy 

as possible. This:5ituat:!0nai awareness and nsai -time mitigatlori activity embrace thenev/ly laun^ed systems Iri support 
of ACA through the coordination and collaboration mechanisrhs now in place attheOepartme nL 


Parkitodd 

Tuesday, 5eptember'05*;26l3 1*38 AM 
Jen ning^ Christopher 
Lambrew, Jeannj^Jpii^feab^ ‘Aryanal^alid | 
Miche!le5nyden|||||||||||||||||^^ tony.trenkle | 

Graubard, Vivian 
Ref CyS ersdciirity "pcants 


ffrankbaTtmanl 


i 
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— Original Message — 
From: Jehriin^, Christopher 



jjlllfllllHIIIIIIHIH We need to have all of this locked down for September- llth we: also.have to have strong 

message v^ith Justlcd^ FPC, HHS and others for our enforcement eventtfie' week of the 15th. 1 know we had reference 
some'A^ere to current federal standards and how th^ exc eed jaivate sectoras wdl as track record of protection from 
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attacks. Can you or someone provide that reference for meto bolster confidence building tomorrow? Thanks much for 
all. And safe and fun travels my friend. 


Chris 


— Original Message — 

Frorn: Park, Todd 

Serrt: Monday, September 02,2013 12:02PM 
To: Jennings, Christopher 

Cc: Lambrew, Jeanne; Jones, Isabel; ’Aryana.Khalid| 
'mny.trenkleBBHHIij Tranlcbaltmanl 
Subject' Cybersecurity points - • - 


1’MicheHe.Snyder: | 
b GraiJbard,yivian 


Hi Chris, here are cybersecurity badcground points for ||||||||||||||||||^^ The first three are the 

points CMS put together previously which I’m sure youVe already ^eh; they are followed by a couple of pomt s about 
next steps currently underway. Please letusknowifyou have any questions. HI be oh a long flight for much of Tuesday 
--am looping Tony {CMS ao), Frank BaitmaritHHSaO), Michelle, and Aryana,who can answer any questions you have 
that might arise. 


“ The Centers.fdr Medicare and Medicaid Services (CMS) has. maintained a strong history of preventing major breaches 
involving the lossof personally identinablelnformatbn from cyber -attacks. CMS has in place established fisk 
management, security con trots assessment, and security authorization processes forall CMS systems! These controls 
meet.orexceed existing Federal standards,—’ r — — — 

-CMS has been an innovator leader in the information seoJrity community through Ihe use of stateoftheart 
continuous monitoring toots that remotely scan the IT assets of CMS systems to ensure baseline configurations are up to 
date and complraritand that deviations are quickly identlHed apd mitigated. Additionally these technotogies have the 
capability to detect unkaoWri or rogue hosts which are quickly. Identified and blocked. Penetration testing Is also 
performed on ail OAS systems to identify vulnerabilities arKl reduce or eliminate potential. risks from external threats. 

The IT systerns that are being created for the Marketplace will rneet or exceed existing Fed^a! securi^ standards and 
will utilize state of the art monitoring and suryeijlarice topis. CMS isalso working dosety with HHS and other publfc and 
private sector security experts to get additional tecbni cal support for the Marketplace program. 

- Tony Trenkle (CMS.CiO)'is convening a session f\ext Wednesday, ^pt 4^ with CMS, HHS, OHS, DOi^ and me to. review 
(1) our preparation for and defenses against cyberattadc, (2) whatborresponse/actlori would, be in the.event of arl 
attack/crisis, and (3) how we would pros^ute attackers. . CMS will tiien produce a me'm.Q, ^ummarizirig.the above by the 
endbftfie week. 

“ Asanfyi, wehaye also reached out to Alex Karp and team. Alex put us In touch with his top c yberexperts — we are 
slated to speak With them on Wednesday as wgIL 

Chris, again, please let us know if you have any questions! 

All the be^ 

Todd 
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From: 

Jennings, Christopher 

Sent: 

Tuesday, Sc^jtembw 03, 2013 7J2 AM 

To: 

Park, Todd; Sske( Edward 

Cc 

Umbrew, Jeanne; Jorges, Isal^; 'aryanakhaEd 
'Mk;he0e5n^er||||||||||||mm; lQny.trenkfs| 
Grauhard, Vfvbn 

Subject: 

Re: Cybersecurfty points 


\ *frank.ba‘4man| 


Ihank you Todd and ai! cki this email. Very helpful and greatly s^redated. 

|||||||||||||||[||H to fof this back^ound more 

importantly, your great woric to protect us from cyber attacte/security threats. 


Chris 


Original Message — 

From: Park; Todd 

Sent: Tuesday, ScptemberOS, 2013 01:38 AM 
To: Jennings, Christopher 
Cc: Umbrew, Je arnie; Jones, Isa b el; 'Aryana.l^al>d | 
M?chel!e3nydef|[|J|[|| 

‘fr3nk.baitman| 

Subject Re: C>6ersecur{ty pcrfnts 


Ki Chris, here are an e) 9 anded/updated set of buRet points from frank and Tony: 

-- Uke all puWicfy facing Internet websites, whether Amaton, Bank of America, or MBd'cafe,,we see regular attempts to 
InfiKrateand test the security ofoursystems. We take these threats seriously, continuously monitoring for 
inappropriate activity, and adjusting our defenses accorcSngly. 

- The Centers forMedlcare and Medicaid Services (CMS) has a history of prevent Ing major breaches involving the loss 
of personally identrfiaWe information from cyber 'attacks. CMS faces unique riiallenges in maintaining a strong cyber 
security Infrastnxture because of Its decentralized IT infrastructure and heavy dependence on contr actors tp perform 
most agency functions. To deal wfth these challenges, CMS has established an Information security program with. 

conslstentfisk managemcat. so.cufiiy controls assessinent_aDd ^rity authorization proccsies forgllijitie/prisA.. 

systems. The security controls established and imi^mented by CMS meet existing Federal standards, 

CMShasimplemcntedaSecurfty Operations Center (SOC) to provide additional monitoring capabiBtlesand has been 
an innovative leader in us^ng st ate of the a rt continuous monitoring toob. These tools can rernotefy scan the IT assets of 
CMS systems to ensure baseline configurations are up to date and compliant and that deviations are quickly identified 
and mitigated. Additionally these technologies have the capab Bity to detect unknown or rogiie hosts which arc quickly 
Identified and blocked. CMS has also Implemented a penetration testing program to scan CMS systems to Identify 
vulnerabilities and reduce or eliminate potential risks from external threats. 

- IT securify for the Marketplace presents additional challenges because of short timelines, high visibility, multiple 
Federal and non-Federa! partners, and new complex systems being bufh to support the program, CMS' informatics 
security staff have been working closely with IT d«jvclopmcnt teams to help ensure that all required security testing is 
completed. Test results will then be reviewed by security staff: when the results are determined to be acceptable, an 
Authority to OfK^ratc |ATO) will be issued. The ATO is signed by both the CMS Chief Informatfon Officer (CiO) and the 
Chief Information Security Officer (dSO). 

- CMS b working to ensure that all security testing Is completed and ATOs are sgned before October 1. A signed ATO 
signifies that the s^'stems are operating at an anceptaWc level of risk and will meet tough Federal security 
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standards.. Once the Marketplace opens, CMS will utilize 5t3te of ti>e artmonitonngand surveillance tools to be able to 
quicklY detect and deaf with potential threats. CMS' is ako woddngdosely v/rth HHSahd other public knd private'sector 
secuH^ e>^>erts , to ^et additiQna! tectinFcal support for the M^etplace program; 

^ The U.S, standardfor designing the Information security program and i^siponding to associated thteats bas been 
developed by the Natibhal Institute for Standards and Tedmofr^ in support of the Federal Information Security 
Managerrient Art. FiSMA has emeried as the gold standardfpr ihformatiOT -security standards and guidelines across the 
globe. 

- OMBhas rriandated theuse of NIST standards for agendes, includlrig HHS. HHS has developed a 

robust Information, security pro 0 oim across atl.of its operating. dMalons to ensure that the infonnafion security, 
jtosture is robust and responsive to emerging threato. Wprldng.witiithe US-CERT at the Department of Homeland 
SficuritY> HHS ensures that threatstd ihformatidriassetsafid.itetwrlcs.areackiressfid and mreigated as.-rappy 
aspDSsfble;ThissituationalawarEnessand real-time nutigaticmacthrlty embrace the newly launched systems In support 
of AGA. through the coordination and cc^labofation rnedianisms now ut place at the Department. 


— Original Message 
From; Jenriings, Christopher 
Serrt: Monday, September 02, 2013 02:43 PM 
To: Park, Todd 
Cc: lambrew, Jeanne; Jpn.es, i^te1;'Arv^na.JChajlld| 
’Mlchefie-.^yder| 

;,franfcteltTnah| 
^bjectcRE: Gybersecuritv^ppintsr- 


Thanks Todd. Andthan.ksTonyahdFrahlc would.appreaate having as soon as is possfoia tw*th ray preferentei not 
surprisingly, being tonight before my stressful morning starte). Havmgsaid, guys, I w 111 take wbat.i can get when I get it 
with gratitude. 


Chris 


— ^rfeinal Message-—- 
From: Park, Todd 

5en;tTMQnday>.September.02i-20^ 
to; Jahmrtgs> ChHstpp.het 

Gc: LSmbrevvyJoartriej^Iones, Isabel; ’Aryana.Khalid 
'i?^:hyjtrehk{e HlHl[iH;.-tran{c:baitm^ HI 
•Object: Rk Cyb.ersecuficy.polnts. 

HfthriSi - 

TonV arid Frank Will send you today an additi qnal bullet pbinf(s)regafding'hDW’lhe-Federa! Ihfortoatibri Se^rity 
ManagenientArt:{Fi5M^ and other legislatlpn sj^cific.toJiederai agendes has tf^.andp^er .ageridKacfoere to higher 
standards.and go through a.mbte rigcvotis ieyel .of assessment than U typica! in the private sectoti 

Tony and Frank are also pulfingtogetheraddltion3i!nfpo.n trade record pfdefendlng against attach, WQ.ridng with their 
Info security people— ^ey are tra.d;ingfo]ksdown todaYandwi!l seektQget ypuaddltibnaifnfo.by. tonight,.. But ifrt: 
turris.odttheVneed until firstthing tomorrow morning to get you thetieckreepTd info, would that be OK? 

Cheers, 

Todd ' • 


\ ^Midi&ire.Snyder | 
^Gratibard,yMan 
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— " OrigihaJ Menage ~ — 

From: Jennings, Christopher 

Sent: Monday, September 02, 2013 12:28 PM 

To: Park, Todd 

Cc: Umbfe'v> Je anne; j.prieg, l ^bei; 

<|||[||[||[^^ franicbartmanj 

Subjert:: RE: (Vherseoirity points 



•j'Graubard, Vivian 


Qk, ^an^Tpdii Qplt ehe^ftil andwTli serve aspiac^olderfor ||||||||||||||||||||||[||||^^ 

lllllllllllll^^ We need to have ail of this locked down for September llth hearing; we also have to have strong 

message with justice, FTC, HHS and others for our enforcanentwentthewe^ofthe leth. 1 know we had reference , 
somev^ere to oirtent federals^ndards and how they exceed private sector as wdl as track reca”d o f protectfon from 
attacks. Can you of someone provide that reference forme to biolst^ «>nfidence buliding tomorrow? Thanks much for 
all. And safe and fun travels my friend. 


Chris 


— Original Message — 

From: Paric, Todd 

Sent Monday, September 02, 2013 12^I2TM : . 

To: Jennings- Christopher 

Jearipe; Jones, Isabel; 'Aryana.Kh3^dJ||H|||||^^ ‘MkheHe.Sriyder HHHI 
"to ny.trenlde jlllllfllllllllllll^ 

Subject Cyb^eci^'ty points 

HI Chris, Here are cybersecurity back^ouhd points for HHIHHHHHHBiHIlii first three are the 

points CMS put togeth^ previously which i'rn sure youVe alneady seen; they are followed by a couple of points about, 
next steps curfentiy underway. Please let us know 1f you have any questions. HI be on a.iong.fligbt for much of Tuesday 
-am ipQ|MngTpnY(CJVlS 00), Frank Battmah (HHS QO), Michelle, and Aiyana, who can answer any. questfdhs you have 
til at m l^t arise. 

- The Centers. for Medicare and Medicaid Servic® (CMS) has malhfe^ed a strong history of pfev^tihg fn.ajorbfeapHes 

irwo}yingthelossofpersonaliy1dentif}a%.Tnfdrmationfe)mcyb.er -atte<^^ Cl^:has In place established 
management,.securitYcaitrois ass^sment, and seoiiityauthorfeatjon prbcesses for ail CMS systOTs.^ Thesecontrols 
m«tor^ceed€%ttng.f)^eraI.s;^tidar^^^^ ... 

“ CMJ hasbeenari Innovator leader in the Infermatlon security: cpmmurii^ through fte use -qf sfetepffh^art 
continuous morftp.nng tools that rempfely scan the iT assets of CMS systems to ensure baseline conRguratiot^s.ar e up to 
date and compHantand that deviab'ons are quickly Tdentifii^andrratigated. AdditibnallYthesetechnoIbgieS.havethe 
capability to detect unknown or rogue hosts Which am quirky ideritflied and bJockficL Penetration teslir^ is also 
performed on ail systems- to Identify vulnerabllitiesand reduce or eflriTfnafc poewllalHste from external threats.. 

*» The IT systems that are being created for the Mark etplacewillmeet or exceed ewsiirigFederal security standards and 
wlli utilize state ofthe art monitoring and sutveiflance tools. . CMS is also -wq.ridng doselV with HHS and other public and 
private sector security experts to getadditional technical support forthe Mafketfrface program. 

- Tony Trenkle (CMS ^0) is convening a session next, Wednesday, Sept 4, with CMS^ HHS, DHS, QpJ, and me to review 
(1) our preparation for and defenses against cyberattack, (2) what our response/action would be in t be eventdf an: 
attaclv'crisis, and (3) how we would prosecute attackers. CMS will then produce a memo summarizing the above by the 
end of the week. 
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— As an fyi, we have also reached out to Alex Karp and team. Alex put us in touch with his top cyber exp erts-weare 
stated to speak v/ith them on Wednesday as well. 

Chris, again, please let us know if you have any questions! 

Al! the best, 

Todd * ■ 
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Jennings, Christopher 

Tu^ayi- Septembefr’0^;a3i3 433 PM 

Siskei, Cdwari^ Mdauihn^ TaT^ lambrew, ieann^ Parlg Todd^ 

Jpnesi ^abet; HBHIi 

'tony.^^ideflBHHHI <^aub0fd,Myian 

Re; C)4iers9curiiy ipaii^ 
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- Like aU pubiicly.fedng inte rnet websites^ whether Amazorv BanRof America, or Medicare* we see regular attempis to 
inRftrateand test the security of Qtir systems- Wetateth^ihre^ s^iously^ i^nahudusiv monitoring for 
inappropriatsactivjiY,,and adjusting our defenses sccOTdi;i^iyI 

- The CenteRforMedicare and Medicaid Services (CM^j has ahfctoiV.of preventJng major breadieS invoiving the. loss 
of personally Identifiable {hforrnation from cyber CMS faces uhique'dialf^ges In maintalnirig a strong cyber 
securityjnfrastructure l^cause of its decentralized iT'infr^^dHire and heavy dependence on contract ors to perform 
most agency fundfons-, To deal with these chailerige^ C^Sh^estabj^ed an inf^mation security program widi 
consist^trf^ management security Gan trols ^ses^eiit and^eciaity sudi'oriration processes for ali ehteiprise 
systems.TJie seoiriiy controls estahfish'ed and.impferoented byCfyiSmeetexisting Federal sbndards., 

" CM5 has implemented a Security Operations Center (sbQ to proyideadditiona 1 nibnltorihg capafaliitiesand Has been 
an innovative leader in tisfrig state of the art contii^Ous monibonngtoots These tools can remotely scan the IT assets of 
CMS ^tems-to ^ure baseline configurationsare yp todate and compliant and thatdeviaticsi s are quicMy Identified 
andfrud^tecf; Addm'onallythesetechnoio^'eshayeth'ec^abartytQdetectunknownorfogue hosts 'iAmichare quicki'y 
identified ancib1ocked^a^S hasafeb impjemef^d ajpfenefr^rtl^dngprogram to scan CMS^stemsto identify '• 
vulnerabilitiesandreduceorenminafapotentiafdsks.fro'mi^ernalthreafs.' ' 

- IT security ibr the Maitetplace presents additfqna! dialferiges because of short timelines, high visibiitty/ multiple: 

Federal and ndp-Federal partners^ andnevy compfeRsyst^s being built to suppprt the program; CMS' information 
security staff have been woridng closely.with if d^elc^mentrteamstohelp ensure tiiat all required securt^ testing Is- 
completed. Test remits vvii! then be reviewed by s^rity.rtaffi- when the results are. determined to be acceptable^ an, 
Ai^prlty to O^rate (ATOj Vidflbpissu^ IheAtO is dgnM by both die CMS.cmpf Infcymatioh 
chieffnform.atiGnS^nty officer{dSG^ - 

-- CMS is working to ensure that all securi^teslTng Is completed and ATOs are signed befrire October 1. A.sighe'dATO 
Signifies that the systems are operating at an acceptable level of risk and will meet te^i^Federaf security 
standards. On^ the Marketplace opens,.CMS will utilize state of the art monitoring a h; d surveiflance tools to be able to 
qurcWy detect and deal with potential threats. CMS is also working doseJy with HHS and other public and private sector 
security e)p;€rfs to get additional technical support for the Marketplace program, 

-> The U.S, standard for designing the information seotfity program and respondirtg to associated tiireats has.teen 
developed by tijeNationaj Instftufe fcV Standards and Technplc^in ^pport of Ihe Federal {fTfom^lon Security . 
Management FISMA has emerged.asthe gob s tandardly information security standanfe and guidelines, across the 

globe, 

- 0MB Has msh^Bfedtise dse.pf t^iSf .^f^gra,l.%^aH;egende‘5;i^^^ d^yelo^d 'a- , 

robui^ inforitjatlpnssciji,rttyprograma,cro,ss’a8pffeoperatiWg.diyisidnsto erasure. tfratth^.lnfcr^ ^ ’ ■ 

postureTs robustandresponsfve to emerging threats. Working NRrith the US, -CERTattiie Oebardtient-ofTlomeiand 
Seciijfity^HHS;?nsut^JftattHfeatstoThformaticm.as^aridnetiyQtfe.;areaddre^ed?:hd',mfttg^^ 

aspo^ibfeKltlis-^atipniiawareness.ahdfeaUtimemrtigation.actwIty embrace lheftev^y{eunc^edsysrtefT)s-lfi-sVPP®i^ 

of ACA;’througb tbecoordinatiori and collaboration mediahfsitis noWIti place at the Depbrtmenti. 
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—Or^mai Message — 

From: Park, Todd 

Sent: Monday, September 02, 2013 2:1S PM 
To: Jennings, Chriappb^ 

Cc: LambreW ) Jeanne^Jones, Isabel; 'AiVana;Kha!ld 

'tony.ttenkfeHHBHH' HH 

Subject: Re: Cybersecurity points 
HiGhris,. 

Torry* and Frank will send you today an addidohal bullet poJntfsJ regarding how the federal Information Security 
Management Act (HSMA) and other legislatipn sf^ciiipto Fedg^ agendes fta$ CMS and other agencies adhere to higher 
standards and go through a. more rigorous level of assessment dian is typical In the private sector. 

Tony and FranJcare also puffing tbgeth er additional info on trade redsrd ofdefendihg against attacISi woridng;with their 
info security people - they are tracking folks down today and vwU seek to get you additional Infb.by tonight... But IF rt 
turns out they need until frrst thing tomorrow morning to get you the track record Info, would that be OK? 

Cheers, 

Todd 



— ; Original Menage — * 

From: J^nlngs, Christopher 

Sent Monday. September 02, 2013 12:23 PM 

TorParigTodd . 

Gc: tambrew, Jeanne; Jon,®» Isabel; 'A(yana.Kba(ld 
Mlchelle^nyde 


. 'frank.baitma 

Subject: RE: Cybersecurity poirits 


jGfoubard,, Vivian 


Q|(,tfiau^te.Tgtfd^ QUlt ehe^ijl'and will servers placeholder for. 

jjllllfllllllllll^^ W^'n^d tp.have ail of this todked dpwnft^:SeptomtieFllti1.h eering; we aTsp:h^^;fo 

messafgewith Justice, FTC HHS andothers forourenforceriidnteventthevve^of the iGth. 1 kndw.w^ hadLref^ence: 
sorftey^efBtQcUfr^t'ffiderals^ndardsendhow.theyecceed^vatesectdrassV^as.tracKTecorddfprpt epfipn.l^rn: 

attacks. Can you' opsomeone provide that reference forme to bolster confidence buiidlng tomorrow?' THanfemuch for 
alb And safe and fun travels rhy friend. 


—‘Original Message-^ / 

From: Park, Todd ....v-; .,; , 

Sent:' Monday^ September 02, 2013 12:02 PM,: • 

To: Jennings, Christopher 

Cc: Lambrei w, Jeanne; Jones, Isabel; AryaniKhalld | 
'tpny.tren.k;leB||||||||||; 'frank.baitnian ||[|||||||||[ 
Subject: Cybers.ecurrty points - 


'M1die{le.5nvder | 
tGraubard.Vwtan 


Hi Chris, here are cybersecurity backgmund points for |||^||[||||||||||||^^^|||||||^^^|^^ The first three are'the 
points CMS put together previousJy which I'm sureypuVe already seenjthey are followed by a couple of poln^ about 
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next steps currently underway. Please let us know if you have any questions. I'i! be on a long flight for much of Tuesday 

- am looping Tony {CMS CIO), Frank Baitman (HHS CIO), Michelle, and Aryana, who can answer any questions you have 
that might arise. 

-- The Centers for Medicare and Medicai d Services (CMS) has maintained a strong history of preventing major breaches 
involving the loss of personally identifiable information from cyber -attacks. CMS has in place established risk 
management, security controls assessment, and security authoriza tion processes for all CMS systems. These controls 
meet or exceed existing Federal standards. 

- CMS has been an innovator leader in the information security community through the use of state of the art 
continuous monitoring tools that remotely scan the IT assets ofCMS systems to ensure baseline configurations are up to 
date and compliant and that deviations are quickly Identified and mitigated. Additionally these technologies have the 
capability to detect unknown or rogue hosts which are quickly iden tified and blocked. Penetration testing is also 
performed on ail CMS systems to identify vulnerabilities and reduce or eliminate potential risks from external threats. 

- TTie IT systems that are being created for the Marketplace vwll meet or exceed exis ting Federal security standards and 
Will utilize state of the art monitoring and surveillance tools. CMS is also working closely with HHS and other public and 
private sector security experts to get additional technical support for the Marketplace program. 

- Tony Trenkle (CMS CIO) is convening a session next Wednesday, Sept 4, with CMS, HHS, DHS, DOJ, and me to review 
(1) our preparation for and defenses against cyberattack, (2) what our response/action would be in the event of an 
attack/crisis, and (3) how we would prosecute attackers. CMS will then produce a memo summarizing the above by the 
end of the week. 

- As an fyi, we have also reached out to Alex Karp and team. Alex put us in touch with his top cyber experts - we are 
slated to speak with them on Wednesday as well. 

Chris, again, please let us know if you have any questions* 

All the best, 

Todd 
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From 

Sent 

Tci 

Subject; 


TrenW^ tony ;(msyOigi <| 

Tuesday; Septemberi)^ ^13-722 PM 

Parig Todd; Saftraan, Frank|OS/'ASVoao^; Snydet M»cbe!!e (CMS/Q/^ 
Re: Cybersecunty pcMnfe 


1 don't see any problem with him joining if it helps ^'{h confect etc*’ - r . ■ — - . 


™ Oiigiha! Message 
From: Park, Todd [mailto: 

Sent: Tuesday, S^tembei 
To; Trenlde, Tony (CMS/GiS); Baitman, Frank (oyjfiSA/dQdjjShvder, Mic:h6JIe (CMS/OAji 
Subjed^ Fw: Cybersecuiity poults . : ^ 

Tony, Frank, Michelle, thou^ts on Ed joining ouf iD^m caJl tomorrow, and dren ta.iking with him afterwards bnefiy? 
One point to discuss with him is Frank’s very point that we need to walk a fine t'ne pl/bfidy — showing we take the 

risks Krfousfy but- also hot baitbig hadcers into atockiog. 

Ai^o; rt.was part of the outline for tbrnorrow’s c^l, but wanted td follow up OnJ f we can get some exfenal 

v^dato rs^o, be references vwth respectfo CMS's general c^jerdefenses and approach to cybersecurity - again, in the. 
context of the walking the fine line above.... 

Thanks so much, 

Todd 


r03i201307d}6PM. 


— -Original Message — ^ • 

From:Sbkef, Edward 

Sent.Tue5day,^ptember.03j.20i3.05:l4,PM V : 
Tdi Park, Todd 

&jbJg.<^EW:'Cybers^ri^ points- 



—OrigineiMessage-rr- 
Frq!m?fonhlngs,)Qha^pher '• 
SenUTye^^j 2013. 4:33 .PM 
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Tliahksall. 


Chris 

— Original Message 



SubJett?RS: €ybeis^dtirity'polnts . 



,1^ here are;an axpanri^/updated set .of bullet ppintsirom Frank and Tpnyr 

-* U^:e..allpubil|^ facing Internet websites^ \^ether.^apiri/ ^hk or^en5a^;,^^^ 
(nfi'l^t5,andte^tbes^cMn%ofbqrsy^ems,Wfiia.ke'tih«ei^reats'5^0Msiy/cbnthuousiym6njtpririg*f^^ ' 
inappropriate gctivity>..andadiU$WngOurd«ferisesaccbr<Sn[gly. 

~ The Centers for Medicare and Medicaid Seryfces (CMS) has a h^iy p f preventing major breaches inyplvi^ ^e joss 
of persQpaily IdenrifiabW. information from cyber -attacki CMS.faces unrqge thaflenges in maihtafnirig a strong cyber 
security fnfrastrd'ctore because of itf decentralized rrmfrastructure and heavy. depehderice oii confratioretci perfortri 
m ost agency functions- To deal with these diattenges^.CMSihas established an mfbrmah'onsecuri^ prDgj^nv.v/jth 
coiisisteiit risk management se<^dty:coiitroiS-5Ssessmenti^nd security authorization process^ forali enterprise 
systems. The security controls established and impiementedby.CMSmeetewsfing. Federal standards^: 

- CMS has Implemented a Security Operations Center (SOC3 to prowde additional monitoring capabilities and Has been 
anjnnovatiyefeaderin using state.ofdifi.art continuous monitoring tools.- These tools.can remotely scan the.lTas.seCs of, 
CMS ^tems to ensure j«setipe corifTgvratlgns are up to date and dompliant and that deviatipns are quis^ly IdefTtified 
and mitigated Addiddna!iy.^{setechno|pgles.haYefte;capablBty tQdeteGt.Ufi^dvyn'or fpgueiTi6sts?^ichare i5uTdjjy 
identified and blocked a bo Implemented Spenetratii^ testlj^ progfarnfr> s<ari;CMS ^tems to Identic 
vulherabiUtiesandreduceof'eiimfn^epptentlalnsb'imme^^althmatev . 
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-* IT^ecurity.forthe Marketpface presents additJonsIcftaif^Tgesb^tiseofshortHmeJInes^hlgh vislfcaHty, multiple 
Federal and non-Federai partners, and hev/ arnipteKS^amsIjdnlb^^ to support die program;. CMS- Infdmiatlon 
security^ staff have been, working closely wli^ iT devefopmentte^sis to help ensuie^ that all recpred security testing Ts 
complied. Test results will then ba rewevved by secunty Staffi resultsare'determined to. be ^eptable, an^ 

Authority to Operate (ATO) will be Issued, The ATO fs signed fay both the CMS Chief Information Officer (CIO) and the . 
Chleflnformation Security Officer (dSoj. ■ 

- CMS ts woricir® to ensure that all secui^ testing is completed and ATOs are s'^ed befwe October L Aslgned ATO 

signifies that the systems are operating at an acceptable level of risk and will meet tou^ federal security 
Standards. Once the Marketplace opens, CMS will utilize state of the art monitoring and surveillance tools to be able to 
quIckly.detectand.deaI.withpotentialthreat^.CM5.Js^sawc»d^gdosefy w3thHHS and other pub!lo.andprivaf^ector. 
sKUrity experts to get additional technica! support the Marke^late program. 

-- The U.S. standard for designing the information security program and responding to associated threats has been 
developed by toe National Institute for- Standards and Tediholbgy In support of t he FederaMnfonnatfon Security 
Management Act. OSMAhasemeiged as the gokf steridaMfdf information secUr^ standards arid iuidellnes aCToss the 
globe. 

- 0MB has mandated theuse of NIST kandardsfor all fed^tch^anageira^.iriduding HHS^ HHS haydey^oped a 
robust informationsKurity program across al! ^ ite operating divisiOTS to ansure that the informat ion sec^ 
posture Is robust and response to emerging threats. Working with toe US -CERT at'the Departinent of Honwiand 
Security^, HHS en^restbatthreatsto information' assets and networks are addressed and mitigated as rapidly 

as po,ssfble.This‘5tuation3i awareness and real -time rriiitigaticMi activity embrace the hewlylaonch.eil systems in, support 
of AGA through thecoordmatiori and cdlabo rationine^anfems now ul place at tfie Departinent; . ^ 


Original Message 

From: Jennings; Christopher 
Sent: Monday,. September 02, 2013 02:43 PM 
To: Park, Todd 
Cp: larhbrevy, Je anne; jon.^, I sabel; *AiYana.ltoalid 

‘MltoeifeJSoyderB|B|jBB_ 

4|||||H 

Subject R& CVbe,rsecurity,pbtbt 3 



■;GraDbard;VMa'n- 


ThanksTodd. And thanksTony and Frank: would apf^eciatehavlr^assoort as Is possible (wito hiy'preferfeh6^; n6S; 
su^f&lhgly, being tonight before rny str essfol rnomlng Hayi^ said, guys, I wljl takewtiat I can get^vtoen J^t it 

with gtedtiide, 

Chris 


— OriginafMesrage;^-— • • . 

From: Park, Todd 

Sent: Mon^y^ September 02i2Ol3 2:19 PM 
ToUennlngs, Chri^opher 

Cc: LambreW jJeanTiejJon^, Isabel; ’Aryana.KhaIid | 
’tony.trenkie HHHHHi ^rarik:ba1tman | 
Subject:Re:<Ybersecuriiy points 


I ■MlcheJie.Snydei' | 
|;6r?iubard, Vivian 


Hi Chris^ 


Tony and Fjrank will send you today an additional bullet pojnt(s) regarding hoW toe Federal tnformatiori Seoirtty 
Management Act (FISMA) and otherleglsiation specifictoFederalagerides hasCMSandother agendes adhere to higher 
standards and gq through a more rigorous level of assesanenf than is typical in the private sectori 
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Tofiy and Frank: are also pulling together additional Infooh trajdcr^ord of defending against attabfcs, working with their 
info security people ~ they, are tracking folks down today aii.d vifil seek tg get you addldo.rial , Info hy .tohfghL,,. But if it: 
turns out they need until first thing tomorrow morning to get ygu the. track record info; would that be OK? 

Cheers,. 

Todd 


- — Odginal Message — 

From: jenningSj Chnstbpher 
Sent: Mondsyj September 02, 2013 12:2S PM 
TojPark^Todd 
Gc lambrew, Jeanne; Jcme s, Isabel; ’Aryan a,Khab'd| 
■Mi^elleJSnyderl 

Subject: ilE: Cvbetsedjr,tfy points' 



'jGraubardjVMan 


Ok, thanks Todd. Cfoite helpful and will serve as placeholder for ^^^^h||||i|||h|||||||||||||||||||m 
llllllllllll^^ We need* to.have all ofthjs Ibdced dowh.fpr Septerf^erll^ hearing; \yea.l30 h^ye.to h:aye strong 

message with Justice, FT^ HHSand others for our enforcement event theweekoftheibth;. i krpw we had reference 
somewhere to curr^t federal standards and how they exceed private sectores W'elf as; track record of protection from 
atfa^ Can you cs" someone provide that reference forme to bofeta- conhdence building tomonow? Jhanks much for 
a!k And safe and fun travels my fnend* 


Chris 


—-■Original Message-^— • , 

From: Park, Todd 

Senl.;MQnday,5epternber02,201312,-02pM •- , 

To: JOTpihg^ Christopher 

CC: Lambrew » Jeanne; Jones, Isabel; ’Aryana -Khalid *Mi^elt^nyder 

'tony.f renkiejjlllllllllll^^ ^ nkbartman HBBE Gra'ifoard^.VMan 

Subject 

HI Chrl5^. hereare cybersecun'ty background poin ts for you HHHHHBHHHHI 

points CMS put tbgetf) er preyfoi^ly which rhi 'sure youhre alre^s^ntlfoeV^refoli.Q^ed ^by:a cpuple of pdii\fs about ; 

nextst^srpurrently Ufidfifwayi. Plea.se let us know if you have any quesrionsi lllbeon? longfligbtfermuch o^'^Mday 

~ am lodpingTony (CMS ao}, Frank Baitman (HH$ ao)> Michelle, arid Aryaha; who cariansWefanyduestidhS you havfe’ 

thaf^mightarfee 

- The Genters.for Medicare arid Medicaid $ervlc^ (CMS) has, main teih^a strong history of pfeveritfoig major breadieS 
Involving the loss of p^songlly ldent|fiahla Information from cyb» ^attacks, CMShas. in place estayishedrbfc 
managementrsecurity cQnTrols„35sessment, and secority authonzadoh prpcesses.for ali-CM>.S sterns, thesecontrols: 
rneetorexceed'erfsting.FederalsteridafdSi, 

- CMS.has been an Innovator leader tn the Infonmation security commuruty through foe use oF state of tfeart 
continuous monitoring tools' that rembtelyscari foe lTassrisofa^ sys^stbensure baseiinecpriflgurationsare up to 
dateand compilantandthatriMstipriis. are quickly identified and mjirigated. Additionally these focHnologfos hay^ 
capability to detect unknbwnor rogue.hosts whfch are quickly identifledandlalb'ekedi Penetration .testihg Is also 
performed on all CMS. systems to Identify wfoer abilities and reduce of eliminate ffotential risks from external.threats^ 
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- The IT systems that are being created for theMaricetplace will meet or exceed existing Federal security standards and 
will utilize state of the art monitoring and surveillance to ols. CMS is also working closely with HHSand other public and 
private sector security experts to get additional technical support for the Marketplace program. 

- TonyTrenkle (CMS CIO) is conveningasessionnextWednesday, Sept4, with CMS, HHS, DHS, DOJ, and me to review 
(1) our preparation for and defenses against cyberattack, {2} what our response/action would be in the event of an 
attack/crisis, and (3) how we would prosecute attackers. CMS will then produce a memo summarizing the above by t he 
end of the week. 

^As.an.fyi, .we. have, also reached out-to Alex.Karp and team., Afexputus in touch with his top.cyber experts.,;.— we are.;:, 
slated to speakwith them on Wednesday as well. 

Chris, again, please let us know if you have any questions! 

AH the' best, 

Todd 
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From: 

Sent 

To: 

Subject 


Snyder, MIcheile (CMVOA) 

Tuesday, September 03, 2013 7:24 PM 

Trenlde, Tony {CMSi/OIS); Park; Todd; Baitman, Frank (OS/ASA/OQO) 
Re. Cybersecurily pwnts 


Agree wfthtony 
M 

Sent from my BlackBerry Wiretess Device 


— Original Message — 

From: Trenkle, Tony (CMS/OIS) 

Sent: Tuesday, September 03, 2013 07:22 PM 

To; Baitman, frank ((^/ASA/OQO); Snyder, Michelle 

(CMS/OA) 

Subject: Re: Cybersecurity points 


! don't see any problem with him joining if it helps with context etc. 


— Original Message - 
From: Park, Todd [mailto;! 

Sent: Tuesday, September 03, 2013 07.06 PM 
To; Trenkle, Tony (CMS/OIS); Baitman, Frank (OVASA/OCIO); Snyder, Michelle (CMS/OA) 
Subject; Fw: Cybersecurity points 


Tony, Frank, Michelle, thoughts on Ed Joining our 10 am call tomorrow, and then talking with him afterwards briefly? 
One point to discuss with him Is Frank's very good point that we need to walk a fine line publicly - showing we take the 
risks seriously but also not baiting hackers into attacking. 


Also: it was part of theoutline for tomorrow's call, but just wanted to follow up on if we can get some external 
validators to be refuroices with respect to CMS's general cyberdefenses and approach to cybersecurity - again, In the 
contextofthe walking the fine line above.... 


Thanks so much, 
Todd 


— Original Message — 

From: Srskel, Edward 

Sent: Tuesday, September 03, 2013 05:14 PM 
To: Park, Todd 

Subject: FWiCybersecurltypoints 
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— Original Message— - 

FroniJ lefin'mgs, Christopher 
SenttTaesdaV',September03,2O134:33;PM . 

To:SIsket Tai^tamhrew^ Jea^jP^ri^todd 

Cciiof^Sj isabeJf 




Irriportantlyi youi^ gf^at.vvorfcto pmfect uS fwm^cyber attack^/s^rity;!^ 


—— O’ri^h^ Message —— 

From; pafiy.Todd 

Sent; Tuesday/ September. 03/ 2013 0138 AM 
To; JenningS/ Christopher - 

cc* iamhreW/Jg arme'jQpes^^s^bel;'Aryana.Khalfd | 

Sublet: RerCVhErsecurity points 


[»;h:Qny,f»;^|de| 


|»;;GiraubKd/;\^1an 


Hi Chris, here are an expanded/O pda^d set of buHet:poiinte from f r^k and Tony; 
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- Lika all publicly fadng Internet websites, whether Ania 20 «% Bank of America, or Medicare, we see r^Ular attempts to 
infiltree' and test the security of bur systems'; We take these threats senou^y, contlhubusJy mohitbring for 
inapprbpriateactiviry^ a.nd adiustihg our defenses accorrSngly; 

~ The Centers for Medicare' and Medicaid Services (O^) has a liist<xy of preventing major breaches inVolWng the loss, 
of personally idejitiftable information from cyber -attackk CMS faces unique challenges in mdntaining a strong cyber 
security infrastructure because of its: decentralized ifr infrastivcture:and heavy dependence on mnt ractorsto perform 
moS^ agency functions. To deai with these challenge; CM$:has es^Wished an inibritiatioh secgnty program with- 
consistent risk managemehb, security bontroIsasses^ReM^; and sedJrhy a’uthbrizatioh processes for all enterprise • 
systans. The security controls established and implemented byCMS meet existing Federalstandards. 

- CMS has irripiemented a Security Operations Center (SOQ to pro^dde additional monitoring capab iiities and has been 

an.ihn.Qyative leader In using state of the art cc^tir^cKis mcmrtoilng feds. These tools can remotely scan the JTassets of 
CMS'systejnsto ensure baseime configuratjonsLare up to date and compliant and that deviations are qutckly idert'tifled. ' 
and mitigatedi Additionally theetechnolo^es havetHe-capsbiBty to detect unknown or rogue hosts which are qulckfy 
Identped and blocked. CM^habaisoimplemeWedraj^effetionte^ng program to scan CMSsystemsto-ldentify 
vulnerabilities and reduce or eliminate poten^alri<^ from external threats. '' 

- ITsecurity fofthfi Marketpla(te presents additional ihalJenges because of shorttimeltnes,high visIbHIty^tnuitiple 

Fedei^landnoii-Federal partners, andnew.comp1eif5ysiems being built to supportthe program. CM?- Information 
security stafr have been working ddseiy with IT development teans to help ensure tiiat all required security testing Is 
completed; Jest resuljs will then bereviBwed by security stefh when the results are determined td be acc^fabte>an- 
AiAhprity fe.Qperate (ATO) w'll.beissued.The ATOjs by both, the CMS Chief Information Officer (CIO) and ihe 

Chieflriforniatbn5eamty0^cer(dsb}. - : 

- CMS is working to ensure that all security testing Is completed and ATOs are si^ed before October 1. A signed ATO 
signifies that the systems are operating at an acceptable levrel of risk and will meet tough .^.deral security 
standards. Once tfieMarketplace opens, CMS will utilize state of the art monitoring and surveiiiance too Is to be able to 
quiddy detect and deal with potential threats. CMS feabo woriung dosely with HHS and other public and private sector 
security experts to get addition^ technical support for the Maike^lace program. 

- 'TheU.S-standard fordesigning.theinformationsecurity program and respondingfe associated threatshas.been 

developed by the National Institute for Stendards Techhdc^in suDoortofthe Federal Ihfi^Stfen Security 

Managemerrt Aptr f ISMA.has eJh'et||^:3s thegold s^dardXpjc jrifbfm security sfandatds.i^d SMiri^lipes across the 

globe. * 

- 0MB ties rnantfatedthe Use pf NiST ^ndarcfefbrjail fedjaraN^liiVaH^pesiiftciuriirig'H a-. ; 

robu^ Information secu.ritY program across al'i of ife-p^ratirig: dlyidons fe ensure. tHattijkrnfqjimStion sftruray ’ 
posture is robust and responsive to .emer^ng threats. Working vrith Ihe.US. -CERT at the Department of HomeJand 
Se^fjly/ HHS. ensures, thptt^ea^ tpli^rmation.ass^ ^.dhebM3ik5areaddre^ed.?,^n^ 

^pos^bfoi Ibis situational awarenessand rea.i 'ti.merinitigatiori actively embrac^ ftenev^y iau 
ofAGAthroughthecoondlnationandcolIaborationmechariFsrhsridwJriplaceattheGepartm'erit . 


-T- Original Me$$^ — r- 
From: Jennings, Christopher • 

Sent: Monday, SeptemberQ2,2013 02:43 PM 
To: Park, Todd 
Cc-. larnbrew^-Jeannej Jdnes>Jsabe{; *AryaniKhaKd| 
’Mlchetenydecl 

subject: REt Qbersecuri^ pplhts 



•TGfaub^d) VMah; 


Thanks Todd. Anjd.thanks-Tonya.rid Frank; would app’redate having, ^isoon as is 'possible^lwith itty'pfeferericei riot 
surprisingly, being tonight before my sfressful mprningste.rts), Havir^.sat 40 ^$, l wllftake whati can getwhe.n j get It 
with gratitude. 


Chris 
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— Original Message — - 
From; Park, Todd 

Sent: Monday, SEptenber02/2013 2:19PM 
To: Jennings, Orristopher 

Cc: Lambre Wj J^rwe; Jpnes, Isabel; 'Ai^na .Kha1ld BB MWBl 'Mlcbelie.Snyd^ 
'torry.ti^nk!e|HHBBH ‘frank.baltman^HHH <Si^ubard^ VMan 
Subject: Re: Cybersecuritypoinis 


HiChris, 

Tony and Frank wfll send you today an addrti onal bullef pomt(s) regarding how the Federal Inforniatfon Security' 
Management (FiSavlAy and other legislatlpn spetific to Fed^f agendas has CMS and other agencies a dhere to higher 

standards and ^ through a more rigorous level of assessment than is t yplca! In the private secto r. 

Tony andFrankare alsopunihgtogetheraddltlbn^l info on tracirr^ord of defending aga1nst;a;ttacks, working with their 
info secijrity people - they are tracking foils down today and will seek to get youadditionai snfo by tonight—: But if it 
turns out they need untflfirst thingtomorrow morning to getyou die trade record info, would that be OK? 

Cheers,. 

■todd 


— Original Message — 

From: Jermmgs, ChriSoph w” 

Sent MondayS^tember 02^2013 12:23 PM 
To:Parfc,Todd 
Cc; lambrew, i^me; jcxjiK, Isabd; 'AryanaKbalid | 
'Midhelleihyd© 

subject REt-Cybersecurify points 



, Graubard, Vivian 


0|^ H elpful and will s^e a s placeholder for ||||||[|||||||||||||||||||||||||^|^|||||||^^ 

mifllllllllllim We need to have ail of lock^ down ft^'^^pternber llth hesrlngjvre also-heve to 
messa|fr' with justice, FTC HHS and others for our enfbrcementevent-the week of the ISthi 1 know.we.had Tefe'f-ence 
somewhere tocurr^t federal staridardsand how'they exceed pifyat^ ^etbr as wen.as track Tecc>r.cf.p, f prptectforifrbm 
attacRSr Cgn, you oF.somephe provide that reference for. me to bolster confidence building tomorrow? Thanics.mucfi for 
all. And safe and fun travels my friend. 


Chris 


—Original Message—* . 


From: Park, Todd 

Sent: Mbfidayi September 02, 2013 12:02 PM ^ 

To: Jennings, Christc^her 

Cc: l^mbrew^Jeanne^Jones., Isabel; *'^ty3na.KhaUdJ||||||||||||||^^ 'Mlchene.Snvdet: 
'tony.tfenkiejjllllllllllllllli^ IHHt Graub^d, Vivian 

Subjedc Cybersecurity points 



Hi Chris, here.are cybersecurlty background pc^nts you 

points CMS put togeth^ previously whI^dl I'm sure youVa already seen; they are followed by a couple of points about 


4 


OSTP ACA 0007746 



387 


next steps currentfy underway. Please let us know If you have any questions. I'll be on a long flight for much of Tuesday 

- am looping Tony (CMS CIO), Frank Baitman (HHS CIO), Michelle, and Aryana, who can answer any questions you have 
that might arise. 

-- The Centers for Medicare and Medicaid Services (CMS) has mafrrtained a strong history of preventing major breaches 
involving the loss of personally identifiable information from cyber -attacks, CMS has in place established risk 
management, security controls assessment, and security authorization processesfor ail CMS systems. These controls 
meet or exceed existing Federal standards. 

- CMS has been an innovator leader in the informationsecurHycommunity through the use of state of the art 
continuous monitoring tools that remotely scan the IT assets of CMS systems to ensure baseline configurations are up to 
date arid compliant and thatdeviatiohs arequIcWy identifs^ and miti^ted. Additionally these technologies Have the 
capability to detect unknown or ro gue hosts which are quiddy identified and blocked. Penetration testing is also 
perfomied on all CMS systems to identify vulnerabilities and reduce or eliminate potential risks from externa! threats. 

- The IT systems that are being created for the Marketplace will meet or exceed existing Federal security standards and 
will utilize state of the art monitoring and surveillance tools. CMS is also working closely with HHS and other public and 
private sector security experts to get additional technical supp ort for the Marketplace program; 

- TonyTrenkle {CMS CIO) is convening a session next Wednesday, Sept 4, with CMS, HHS, DHS, DOJ, and me to review 
(l)dur preparation for and defenses against cyberattack, (2) what our response/action would be int heevent of an 
attack/crisis, and (3) how we would prosecute attacters, CMS will then produce a memo summarizing the above by the 
end of the week. 

- As an fyi, we have also reached out to Alex Karp and team. Alex put us in touch with his top cyber exp erts ~ we are 
slatedtospeakwiththemon Wednesday as well; • 

Chris, again, please let us know if you have any questions! 

All the best, 

Todd 


5 


OSTP ACA 0007747 



388 


From: 

Sent 

To: 

Cc; 

Subject 


Trenlde,-tony < 

W^nesd jy, &ptembff JM, 2015 5:12 AM 
Siske!, Edirard; Homey^ Mary P. (O^S/GI^' 
Gr3ubard> VR/i^h; Ddwn f ari^ 

10 call 


Mary, 

pJeaseadd Ed to tba appointment 
Thante- 


— *-Or%fhal'f^'essage- 

From: Park, Todd rmaiito| 

sent TO'esday^ Septemberd3,^13 7:53 PM 
To:-Sl5keb Edward' 

Cfc Trenkle> Tony {CMS/0!S)^ Bartman, Frank {OS/ASA/oaO); Snyder, ^^cHdie (CMS/OA); iSraClbard, Vivian; Mlelte, 
DawnM,' 

Subject Re: Cybersecurity points 


Ed,it yi^Jdbegireatforyoatb Iptndie 10 am call hc^ed byTony Tmpkie tomorrow, and fora sUbse t of Usto diat vyitb 
you fora fewmfnutes after the call. Tony, can you make sime Ed gets the invite/call -in number? ’ 

Ed, it may also makesense for you to join the 4pm mtg — lefs discuss tomorrow, thanks! 

Todd 
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From: 

Jennings, Chfistoptiitir 

Sent 

Tuesday, September 17, 2013 lCt56 PM 

Tot 

Park,Todd' 

SubjKfc 

Fvy Final Veraon of PR 

Attachments: 

FINAL Marfce^face Fraud Pees Rel^seWHCO edits deaadoex; FINAL Marketplace 

Fraud Press Release WHCO edits.dpqt 


From: 3oneSj Isabel ^ . 

Sent: Tuesday, Segtember 17> 2 013 09:tB PM 
To: 'Siarfo, Dili (tfiS/ASPA)> 

Christopher; Jadcspn, Veronica (HHS^PAl <ig 
Suiqert; 1^: Rnal Version of PR 


>; Sye,.Tait (OS/fePA) <1 


i>; Jmnings, 


Sony, twfl tiny edits afeched that ^¥I^CO just tola me ore most haws to kesjr FTC onboardlltMalf wccan go iyilh tills 
as final 


From: Salddo, Dori (HHS/ASPA) r maatn|p|^l^aiflB5B8aBig| 

SenB Tuesday, .Setfenber 17, 2013 8:S9 PM 

Tof Jmes, feab^j Sye, fat joS/ASPA); Jennings, ChristopherjOackspn, Veronica (HHS/ASPA) 
Subject: RE: Final V^bn of PR: 


Yes, minor tweak, but final is also attached. 
Oorl Salcido 



i 
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Obama AdmInistratiDn announces a coordinated effort to prevent and detect consumer fraud in the 
Heafth insurance Marketpiace 

Today, Attorney General Eric Holder, Health and Human Services Secretary Kathleen Sebelius, and 
Federal Trade Commission Chairwoman Edith Ramirez met at the White House to kick off a 
comprehensive interagency initiative to prevent, protect against, and where necessary prosecute 
consumer fraud and privacy violations in the Health Insurance Marketplaces. Representing key sta te 
partners in this critically important effort to protect consumers were Maryland Attorney General 
Douglas Gansler and Kansas Insurance Commissioner Sandy Praeger. Senior White House officials also 
attended, the rneeting. 

Meeting participants reaffirmed their ongoing commitment to protect consumers from threats in this 
area. Building on a successful infrastructure that already exists, the interagency officials highlighted the 
following new initiatives; 1) the dedication of the Marketplace Cal) Center as a resource and referral to 
FTC for consutTier fraud concerns; 2) training for the Marketplace Call Centerstaff to effectively refer 
consumer threats and complaints; 3) connecting consumers to FTC's Complaint Assistant through 
Healthcare.gov; 4) development of a system of routing complaints through the FTC's Consumer Sentinel 
Network for analysis and referral as appropriate; ; 5) establishment of a rapid response mechanism for 
addressing privacy or cybersecurity threats and; 6) release of new educational materials to empower 
consumers and assisters who help potential enrollees to avoid scams. . 

'Today we are sending a clear message that we will not tolerate anyone seeking to defraud consumers 
in the Health Insurance Marketplace," said Health and Human Services Secretary Sebelius. "We have 
strong security safeguards in the Marketplace to protect people’s personal information against fraud 
and we will work with our partners to aggressively prosecute bad actors, just as we have been doing 
in Medicare, Medicaid and the Children's Health Insurance Program." 

The experiencediand dedicated professionals at HH.S, DOJ and FTC, together with their state and local , , 
partners, are ready to antidpate and respond to the law enforcement challenges that may arise with the 
launch of the Marketplace. They will be using tried and tested methods for combatting fraud associated 
with other government programs, so that consumers can confidently and securely shop for affordable 
health insurance beginning on October 1. . ■ 

"1 am proud of the proactive approach that the Justice Department is taking with our colleagues at HHS 
and FTC, and with the state law enforcement community, to prevent and detect consumer fraud in the 
Health Insurance Marketplace," said Attorney General Eric Holder. “Going forward, we intend to share 
information, work cases, and hold wrongdoers accountable as we always do. We plan to use ourtried- 
and- tested collaborative methods to ensure that we can identify trends and take swift action against 
those seeking to take advantage of the newly insured." 

Consumers who report that their personal information may have been comprom ised will be given 
information about steps to take to prevent or respond to identity theft. If a consume r reports suspected 
fraud, his or her complaint will be entered into the FTC's Consumer Sentinel Network database, which is 
used by federal and state la w enforcement agencies to track potential fraud activity. Federal law 
enforcement officials will be able to monitor complaint activity for trends within and across all 50 
States. 
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"At the FTC, we know ai! too weil how scammers invariably try to take adv antage of deveiopmentsTn the 
marketplace and new government programs," said FTC Chairwoman Edith Ramirez. "We will be vigilant 
as always in cracking down on this type of opportunistic fraud." 

Consumer fraud experts from across state and federal agencies will continue to meet on a regular basis 
to monitor potential fraud associated with the Marketplace and ensure the strength of preventive 
measures. Steps have already been initiated to prevent and respond to individuals attempting to take 
advantage of the public during health care implementation . 


These measures include: 

• Reporting fraud mechanism: A newfeature of the Marketplace Call Center (I-SOO-SIS'ISSS, 
TTY 1-855-889-4325), will now enable individuals to report fraud simply by calling the 1800 . 
number. 

• Training; Call Center operators trained to take a fraud complaint, and referthemto FTC's 
Consumer 5entinel Network. 


• Creating new pathways: Healthcare.gov offers easy acces s to connect consumers to FTC's 
Corriplaint Assistant through HeaIthCare.Gov. 

• Establishing a routing system for complaints through a centralized database: Routing 
complaints through the Sentinel Network will ensure Federal, state and local lawenforcement 
have access to consumer complaints and can analyze and refer those compi aints as appropriate. 

• Protecting personal data; Building on last week's certification of the data hub and Health 
Insurance Marketplace as in compliance with the stringent security, privacy and data flow 
standards developed by the National Institute of Standards and Technology - the gold standard 
far information and Independent security controls assessment - the interagency officials have 
also established a rapid response mechanism that will be employed in the unlikely event of a 
data security breach. 


• Empowering consumers with information : Building on a proactive effort to inform consumers 
about potential fraud and privacy threats, the federal government is releasing new educational 
materials to empower consumers and assisters who are helping consumers navigate the 
Marketplaces. They include online tip sheets like: Protect Yourself from Fraud in the Health 
Insurance Marketplace 


s -and-articles/protect- 


voLirself-from-fraud-in-health-insurance-marketplace.pdfl and Tips for Assisters to Help 


Consumers Navigate the Marketplace [INSERTUNK}. The materials remind consumers that there 


is free assistance available to navigate the Marketplace and that they should be suspicious of 


persons who ask for a fee before providing assistance. 


In addition, the FTC and DOJ are hosting events this week in anticipation of the launch of the 
Marketplace; 

• Thursday, September 19'*’, the FTC, will host a roundtable in Washington, DC to discuss how to 
empower and protect consumers from scammers with the advent of the Health Insurance 
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Marketplace. The roundtable will bring together experts on the health care law, federal and 
state consumer protection officials, representatives of legal services and community -based 
organizations, and consumer advocates to discuss key features of the law, state approache s to 
implementation, and howto help consumers avoid potential scams. 

• Friday, September 20'*^, DOJ will host a law enforcement meeting to convene state and local 
officials. This meeting is part of ongoing efforts urging state AGs to work with HHS and fede ral, 
state, and local law enforcement to mount asubstantial outreach campaign to educate 
consumers about how to prevent scams and fraud and protect their personal information in the 
Marketplace. 

These comprehensive preventive and detection efforts build on the extensive experience and federal, 
state and local Intergovernmental infrastructure that has protected consurners from fraud. 

• Since its creation in 1997, the HHS Senior Medicare Patrol has educated to more than 23 million 
Medicare beneficiaries and counseled more than 1.3 million individuals about specific concerns, 
one-on-one. Coupled with other outreach efforts. Medicare's toil -free customer service 
operations sent nearly 45,000 inquiries to law enforcement partners for fraud Investigations in 
2012 alone. These direct -from-consumer leads ultimately supported the Administration's work 
to prosecute criminals, returning $6.7 billion to the Medicare Trust Fund in the last four years. 

• In the last several years, the FTC's Bureau of Consumer Protection has put a stop to over 50 
health fraud scams, government grant schemes, and mortgage relief seivices frauds, and has 
independently secured nearly $6 million in monetary relief for consumers. The Bureau conducts 
' investigations, sues companies and people that violate the law, and works to educate 
consumers and businesses about their rights and responsibilities. The Bureau coordinates its 
work in these areas with Federal, state and local partners. 

• . Over the last four years, DOJ has successfully prosecuted over fourthousand defendants in 

identity theft and aggravated identity theft cases, and convicted over 200 defendants in advance 
fee fraud cases, over 500 defendants in consumer fraud cases, and over 100 defendants in 
telemarketing fraud cases. 

For more information on CMS's efforts to protect consumers in the Marketplace, please visit: Securing 
the Health Insurance Marketplace Fact Sheet [INSERT LINK] 

tf 
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From: 

Park, Todd 

Sent 

Tuesday, September 17, 2013 4:43 PM 

To: 

Santiilo, Jessica 

Cc: 

Jones, Isabel; Miefice, D^wn^M^ TrehkJ^ Tony (CMS/OiS); IMa^B^MM^Cook. 

Subject 

RE; Preventing Fraud mMarfce4>ladss ' WH background call with media tomorraw? 


Hf Jessica, ! am signed up td help with the cali! io6i^gTdiiY>f^9dk^^f'dBnan. Twoque^iohs; 

1. Is the call on background, or on the record? 

2. GanTonYTr6hkfeandFrankBaitmartioinmeonthecaJr? TheY are the folks who Imowthedetalls, and st would 
be'sup^r-helpftiC for them to be. or). 


Thanks L 
Todd 


From; Sandllo^ Jessica 

Serrt; Tuesday, September 17, 2013 2:10:PM 

TdfPar^^Ti^ 

Cc: Jones/ Mfdke, Dawn M. 

Su&|ecfc FtaCd in Markeljjlaces ' WH fcecl^roundcaU 'Wfth rn^atompffpw? 
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From: 

Sent 

To; 

Subject: 


Baftman, Frank (OS/ASA/OCIO) ^ 

Wednesday, September m 20iami PM 
Trenkle, Tony (CM^0IS);P2ri^ Todd 
Re: Cyber bullet pcants for your review; j^us a question 


Just to add to Tony's earlier point there wiii be £»iiyONEATDfOf the FFM Ihe many components together make a 
systemthatwKibetestedandvalidated end-to-end. 

- Frenk 

From: <trenkle>/ "Tony (Civis/OiSj“ <§ 

Datet-Wetfhesr^ y, ^ptem^gr 18^ 2013 12;13 PM 

To; " 'Today Par^^^^M^ V Todd. Y P'ark^^^^i^ >. Frank Baitrhan< 

Subject: Re: Cyber bullet pointsfdr your revlevt? plus.a quesd'pn 

Todd 

y^ethatisba$iatfytt;‘------,— •• ^ •• • - • 


Frotnr Todd riba'^oi 

Sent; Wedf^lay, SeptHrS^ 18/2013 10:55 AM- 
To; Trerikl'^ Tony Frank (pS/ASA/OCK)) 

Subject: RE; €^)er buIletT^in^ for your review^ plus a' qu^'at 

AndTbnyandFr^fnS^sofiYiOtjetmjm.back^aundqaestiG3irthepms^:mfe3^tod^sav5T:‘Tc^ethe ..'V: 

Interagency partpef^^iCMSbas developed a rapFd respocce mechanism to respond to e potential da^ ijreadt end . . • 
mftlgatetbe^effkt^ofattempt^toleopardlzethfilnt^dty.ofthe Hyband the databasei ft connects ” ^ 

te this thes^ethlngesl^e'inddent Response.capabjlSty discussed in War^i's.letter^ but with souped up Irtferagency:- . 
cQorilinqtfojp?' , - > T ' . t 

prisltsornediibscefferent? \ V ^ t/ ' 

JustWanttoma^Ostirsirepresemthlsj^opfirJy^thtinKsl a 


Fronts ParJ% Todd ' s v. ' 

Senliy\fedhe$ijay>^B£emberl8,201310 32AM ^ t" ' * 

T<»mBnkfe,Tbny(aiS/OIsy ^ > v ^ 

Siifajecij RE: Cyb^ bullet d®nt5 for your reVTav; plus a qu^on ^ 

jfUid Tony, one more bacl^ound questfob: ^ is.it ihe case that the s^nty testing is done by an Independent contractor ■ 
managed by. CMS info security staiT and thattiie reviewofresute/assessmenVandsigftoffhappen viaVOU^ theaso, -. : " 
and CMS info security stafP Thanks! 


From: Pasi, Todd -.'V-' 

&nfc5 Wednesday, Septenb£^ IB, 2013 10:1;5AM :.vv •, :. 

To; Trenkle, Tony {O^S/OIS}’; Santillo, Jesica; Batman; Frank (OS/ASA/OCO) ^ 
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Frpm: 

Sent; 

Tos 


Park,tpdil 

WedriESii^y, Sept^irfser 18, 20!^ 12:43 PM 
’tonyltrenkls^^^^^ 

Re: Cyber builrt ’points ’fpry^rrev^ewi, plus a que^On 


Thanks sd much, Tonyl 


From: TwiPfe,Tony (CMS/OIS) [manto:i 

Srtfe'WaiheSdw, September 18,-2Q33 T2;38 PM 
To: f^r^Todd 

Subfect: RE Cyber bullet points for your review; [ius a qgesBort 
Todd, ' ■ ■ ■ • 

Sonv,i misserithts one. yes,youafe€Qrreqt aboutthe process. 


Froin:_Pari^’lj[dd [iTO|to:| 

Serb Wectesday, seiifimber 18, 2013 IO:32AM 
TO Trenkte, Tony (CMS/dlS) 

Subiecfc RE: Cyba* bullet'pdinfe f<* your review; plus a quesBbri. 


And Tony, one more background quesdon: is it the case that the security testing is done by an independent contractor 
managed by CMSIrtfb security staff, andth^ttiereviewof results, assessment, andsignoff happen via you, the ds6, 
and GMS info security staff? Thantel 


Prpin: Park,. Todd 

SentiWedi^STrSeptember 18, 201310:15 AM 

To: TiBrilde,Tdny Cq*IS/OB)) SanStorlessta; Baitnian, Rank (OS/ASA/oaO) 

O# Isabel; Mle!ke> Dawn M.; (iok, Brian T. (CMSfOC); Snyder, Michelle (CMS/OA); Giaubard, Vi vian; Vahey, 
Mote;. Ry^iteresaM,(OiS/OIS);MelIor, Michael (CMS/OIS) ‘ ' 

R£;..Cyber biillet points for your review; plus'a quert’on 

WC, great, Tdnyjthankst Anyotherpointsyputhinklshouldhaveasbackgroundmaterial? 


From!; Tren.kle, Tony (CMS/OIS) f mailto j 

Sqrtc yVednBsday,.Septeriber 18, 2013 8;30 Ah! 

T«b Park, Todd;'SentilIo, Jessica; Bailman, Bank (OS/ASA/OCIO) 

Ce. Jones, IsabeipMIdka, dawn H.; G»k, Brian T. (CMS/OC); Snyder, Michelle (CMS/OA); Graubard, Vtvian; Vahey, 
Moira; Fryer, Teresa M. (CMS/OIS); Mellor, Michael (CMS/OIS) 

Subject RE: Cyber bullet points for your review; plus a question ’ 


Todd, 

ThebulIetsyouhavewrlttenareconsjsterrtvdththeSetteras weJIasthecaliandstatementfrorn Gartner. Interms of 
other ATOs, 1 would not characterize it that way because it sounds like vje are doing a piecemeal approach. In reality 
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^ere wiU onfy be one ATO Issued for the FFM, even though there ere multiple c omponents that are being tested. Here 
is how I would re-wr'rte the sentence: 

??CMSrs^wdcIr[g-t^lnsuret:hat’!all5Qcuntvtestrng.foPth*ejyraffJ^^Taffi£^stemsare completed and the appropriate > 
operetmg-autficK'ities -^^^SJgned before October 

fm putting it in that conte^ because the privacy and seaitity fratievyprfcfor the Marketplace also, includes 
interconnection agreernents vtith other federal agenrfesand states, agreements v/lth issuers, snd security 
agreements/contract: language for the Marketplace contractors. 


Tony 


From:. Park-^ Todd fmaato 
SKifc WeciiesJay^ Se^anber 18, 2013:1:18 AM 
To; Santillo, Jssska; Trenkle, Tony (CMS/OIS); ^itmarv Fr^k (QS/ASA/OaO) 

Cq Tones, Isabel; Mfelte, Dawn M.; COok, Brian T, (CMS/OC); Snyder, Michelle (CMS^QA); Graubard, Vivian; Vahey,- 
Mofra , . 

Subject: Cyber bullet polnts for your, review; plus a que^n 
Importance: High 


hSTony, Frank, and Jessica, please see draft cyber talking p oints belov/ they are drawn from Mariiyn''s tetter plus 
earlier talking points that Frank arid Tony put togedier plus a statem^t.lhat.Gartner analyst Christian B^es r.ecentfy 
gava usaboutthestatements in Marifyn*s tetter. Please let me know v.h3lV9U lhink, and made edils/addltions asyou 
seefit have attachedthefauilet points in a Word doormenl for easier trade ^changes editing if deared). 

Thanksl 


We take extrapety seripusty our responsibility to protect personal information in the Affordable Care Act. . 
Marketplace. Cbllec^fy, the tools, methods, policies, and procedures HHS has develop«i provide a safe and soun d 
sficudty framewpde to'safeguard co nsumer data,. allowing eligible Americans to confidently and securely enrol! in quality 
affordable health coverage startlng.on October "L This framework ts consistent with the frarnework ^at exists for all 
cither HHS programs, such as Medicare, on which Am ericans rely every day. 

- HHS's Ceriters for Medicare a nd Medicaid. Services (CMS) has a strong tra^ record, of preventing breaches inypMng 

thejosspf-personally identifiafale.infbrmaijon from cyber -attacks; Thlsis .due in ferge part to thee.stablishmant pfan ' 
Information security program With cpnsisterrt risk ntahagement,. security controls ass.essm security aw.hdp'zatlQn 

process'^ for ail enterprise systems. The system and sanity controls esteblished'and Implemented by CMSmeet tough 
existing Fed®rat.standards, 

- The Maricetplace is designed to comply with the comprehensive information security standards developed by th.e . 
National Institute for Standards andTechnologv(M5T) in support of tiieFederallnforinationSfecurTty Management Act 
(R$MA). NlST.has merged as the gold standard for Information security sfohdards and guidelines that all Federal 
agencies follow. Several layers of protection will be In place to help protect against potential damage from attackers 
and m itigate risksv For example, the Marketplace will ^pfoy a oontinuoiis monHdring model that will litlHze sensors 
and active .event monitoring to quiddy Identify and take action against irr€gular,bahavlpr and unauthorized systern 
changes that could indicate potential attadcs. Automated methods Will ensure that system admlm^ratbrshave access 
to only the parts of the system that are necessary to pcrfoirn their job^ These protoebis^ combined .with continuous 
monitoring, will alert 5Y^em securi^pers,prmd when any system adm bistrator attempts, to perform functions or acces.s 
data for which they are not authorized or are inconsistent with their job functions. 

- Should security incidents occur, CMS would activate an focklcnt Response capability built on the model developed by 
NIST. The incident Response function allows fbrthe tracking, investigation; and reporting of Inddents so that HHS may 
quickh/ identify security incidents and ensure that the rdevant law enforcement authoriti^, such as the HHS Office of 
inspector General Cyber Crimes Unit, are notified for purposes of possible criminal Investigation. 
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- CMS'sInforrnation security Staff have been wortdngdosdy'wilh Marketplace IT development teams to help ensure 
that ajl required security testing is completed. Before Marketplace systems are allowed to operate and begin sea'Ing 
consumers^, they, must comply with the rigorous standards we apply to all Federal operational systems^ and CMS's Chief 
Information Officer must authorize the sy'stems to be^n operation issuing an Authority to Operate (ATO}. 

- The Data Hub, a key routing toot lhat helps Marketplace and State "Based Marketplaces 

provide accurate and timely eligibility determinations (by yeiifying information in Federal and st ate databases), 
successfully completed Its independent security testing and, was authorized to operate on September 6. The completion 
of this testing Contirms that the Hub comports with ti)e tough standards discussed above and that CMS has ■ 
implemented the appropriate procedures and safeguardsnecessary forthe Hub to operate securely on October 1. 

“c CM5.!S Awricmgtoenstyo-thatall secuntytesting is completed 3iM5tTO s issueijfor other Mai kelpiace components as: 

- HHS has produced a strong enterprise infomiatlon Security program fay implementing state, -of-the-art controls and . 
business processes faased on statutory requirements, agency andorganimtional commitments, best practices, and the 

experience and knowledge of our subject matter team membei3. '‘;t; ; 

- As recenlfy noted by Christian Barnesy aleadV of theinforrnatbn^cuntY practice at Gartner Research, which advises 
th^sandfof pflvate^sectbr arid government cUerits on best practices assodated with the use of information technology, 
thIsHH5/CMS laformation security program as oescribed abcfve represents "cu rreht best practices forthe protection of 
sensitive and regulated data and systems " 

- Application of this information security program to the Marketplace provides strong, soun d safeguards for consumer 
data, allowing eligible Americans to confidently and securely erwoll in quality affordable health coverage. 


Firom: park, Todd 

Senti Tuesdayf .Se^em^ 17, 20 13 9:5.4rPM 

TdrSaritilk J^te^tonv.tferiKe iteiaigig . 

Cc5 Midke, DaWh M.t Tranfobaifatian 'BriarLCdok '^lk:hetle.Snvder ^^^^^ 

Subj^t^Re; PfeVehtiri^ Fr$ud in Mark^Iaces rWH background cslhvllh media tornpitow? 

HI Tdny/Frank, an update ^ it looks. like the background call tomcHTOw.is with WH folks only, with detailed 1nqu?ries-to 
be refened.to agencies. 

Sot while I’d lovefor you to hold the time on your calendars (just in case), as .of this moment, you don't have to get on 
the Call :} 

I've let Jessica knowthatyoaguysarethe font of detailed knowledge onCM5/HHS cyber and that. I cant alktoltata 
general leveF only. She thinks that will be OK on the call tomorrow, with detailed questicfns to be referred to agencies. 

Just to triple check tills, f will be sending around talking points tonight which (combined with Marilyn’s Hub letter) 
baricafly represent what I'm preparedto saY.tOmorTow.Wouldverymuchappredateyour yettingofthese. 

And in the event that, after reviewing my talking points, Jessica feels likei.ve need more on the call, we maya.sk you to 
attend the call after all ;) 

Sowhile you areoftthe hookfor now, plea5edoholdthecaUtime,]ustm easel 
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Th anksso much, and p'ease stay tuned for talfdng points to vet, coming fatcf tonight, 
Todd ■ ' ■ ' 


From: Pari^ Todd 

Sent: Tuesday, September 17, 2 D13 07:39 PM 
To: lessi'ca; 

Or. iones,isabel; Midte, D awn M.; frank.bat ^n| 

’Mldieie,Snyds‘|[ 

Subject: Re: Preventing Beud h Mark^lacfis - WH badgnumd call media tomorrow? 


OK, win draft talking points and send around later And Tdny/Frank, please confirm rf you can join nte on this 

badrground cail —again, only to participate in the cybei^ecurity portion :j Would really appreciate your help :} 


From: Santlfio, Jessso 

Sent: tue^ay, Septernber 1 7, 2D13 07:37 P M 

To: Park, Todd, 'tony.tr^kle^^^BBt Z 

Cc: Jones-, Isabel; Mleite, D awn M.; ‘frank.ba tonanl 

< ^^^^ ^ i sg i^ ^ B ^ t>;-'M}chei{e.Snvder i 

Subject: RE: Prtivertong Fraud in Martetpl3ces - WH background call witfx nffid.a.tc^o.rrow? 


Tlianks Todd Ifyour team could draft tea cybertalklng p«nts, that would be vtiry helpful. Thanb so much. 


We are stHl wodyng on finalizing the paper but will share those with everyone as soon as they.are ready. 


From; Park, Todd 

Senti-Tuesday,, September 17, 2 Q13 7:22 PH 

To:SantiIlQ,Jeslca; ’tiQny.trenWeSgHSiHHI 

Cc Joae,lHbai; Mlelke,,Dawn M.; 'frank.baitman liSiMfegib 'Brian.Cook^^^^^^ ’Michete.Snvder 
Subject; Re: Prayenting Fraud in Markelplaoes - WH background call with media tpmon-QW? 

Thanks* jessfca. Tony and Frank, can you join via j^one?You’n only be asked to help with the cybersecurity partofthe 
cail :).1am mpra teanhappytoderiver ^e prinTary ta9Ungpoints, which Will focus princlpail'y on Madiyn's jetter 
receding Hub cybsrsecurity + the general points the three of us hammered out.a while back. 

iessjca,3reyoupuftJingtogethertalkingpointsfbrus,orwou)dyoulikemetotakeacrackatthem? 

Thanks, . , 

Todd . • 


From: Santiilo, Ja^'ca 

fenfc Tuesday, Septsnber 17, 2013 07:13 PM 

ro:. Parlv Todd; Trenkie, Tony (CMS/OIS) 

Cc: Joneg, Isa^; Mfelke, Dawn M.; Ba itmary Frank (OS/ASA/ODO) < Co ok, Brian T. 

[CMS/OO Snyder, Mkrhella (CMS/OA) 

Subject: RE: Preventing Baud in Martetpl^ces - WH ba<^rognd call with msda tomorrow? 

Eli Todd happy to have Tony and Frankjoinus for tho C 3 ’ber security portion. 

On your first question the call is on background according to “White House officials.'’ 
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Thanks veiy mvich for making this work on such short uotica We will hold the call ra EEOB 207. 1 will se nd 
around a calendar invite. 

Thank you again, 

Jessica 


From: Park, Todd .■■■ ' ; ; ■ 

Sent: tliesday, September 17, 2013 6:14 PM 

To: Trenkle, Tony (CMS/OIS); SanfJIta, Jesstea„ _ _ __ 

Cc Jons, Isabel; Mtelke, Dawn H.; Bailnrian, Frank {O^ASA/Oao); Cook, Brian T. (CMS/OC); Snyder, Michelle ^ 
(CMS/OA) 

Subject RE Preventing Fraud in Marketplaces -WH background call With media tomorrow? 

Hi Tony, the part of the call where you, Frank, and i vvould be participating would focus exclusively on cyhersecunty.... 
Jessica, thoughts? ' ' 


ftom: Trenklei Tony (OdS/OIS) [n 

Sent Tuesday, Ssitember 17, 2013 &88 PMf 
To; Park, Todd; Santillo, Jesste ■ ' » 

Cc Jones, Isabel; Mielte, Dawn M,; Bailman, Frank (CSIfiSAjoaoy, Cook, Brian T. (CMS/OQ; Snyder, Michdie ■- 
(CMS/OA) . 

Subject RE Preventing fraud in Markelplaces - VBf background calf with media tomorrow? 

Todd. - 

I attihot feajiycomfortable about partjcipattng on this calk even on badcgtound- It is getting into areas that I have not ' 
been Iiwolvedin ftsflvacyandfraud preventfonefforts). 

Tony 


From;- Park. Todd T niaiiti ___________ 

Sent Tuesday, feptember, 17, 2013 4:43 PM 
To; SanKIlq, Jesdca 

Cq Jones, .I^bel; Mietke, Dawn M.; Tcenfde, Tony (GMS/OIS); Baihnan, Frank(OS/ASA/OQIO); Cook, Brian T. (CMS/OQ 
Subject: RE; Preventing Fraud In Marketplaces * WH badground call with media tomorrow? 

Hi Jessica, i am signed up to help with the call! LoopingTony, Frank, and Brian. Twoquestions: 

I. is the call on background, oron the record? 


2. can Tony Trenkle and Frank Baitman join me on the call? They are the folks who know the details, and it would 
be super-helpful foe them to be on. 

Thanksi 

Todd 


From: Santilio, Jessica 

Sent: Tuesday, September 17, 2013 2:10 PH 
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To: Park, Tods ■ 

Cq. Jpn^^ Isabel; MielfeSj Dawn M. 

Sut^ect; Prev'ening fiBud Tn Marfcetplaces * WH l?^.^rountl call wlQi mad® tomqrow?. 
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From: 

Sent: 

Tot 

Cc: 

Subject: 


TrenkIe,Tony (CMSA^) ‘ 

Wednesday, September 18, ^134:25 PM 
Park, Todd; SantiHo, Jessica; Baitman, Frank (OS/ASA/OQO) 

Jones, Isabel; Mielke, Dawn M.; Cook, Brian T. (CMS/OC); Snyder, Michelie (CMS/OA^ 
Graubard, Yfrian; Vahey, Moira; Fryer, Teresa M. (CMS/OIS); MelJor, Michael (CMS/OIS) 
RE; Cyber bullet pcmtsfbryour review; plus a question 


iodd, 


Giad to help and ! had no doubt that you cquld defdyhaidteaUcf qtiertlons. You probably now have at least a 
Bachelors^ degree In CMS. 1 will let Gartner know. 

tony 

S^t: Wednesday^ Sefimber IBr 2013 2:09 PM 

To: Tjsnkle^ Tony (CMS/OIS); S^intilio,, Jesica; Baltnen, Frank (OS/ASA/QCJO)' 

Cc: 3on^, I^bel; Midte, Dawn M.; COpk^ Bnan T. (CM^OC); Snyder, Michelle (O-IS/OA); Graubard, Vivian; Vahey, 
Moira;. FjVer, ter^ M. (CMS/OlS); Mellor, Michael (CMS/OIS) 

Object: RE: Cyber bull^ pants Fcr your review; plus a question 

RiallthebadgroundcaJI went weH (knock on wood will wait to see the cpverage). Thank you allverymuch Tony, 
Team CMS and Frank espedaity for atl of your heH>l On cyber, I basically delivereda condensed version of the talking 
points below. 

Tony, \ did, mdesd dte Gartneds statement as referenced In the bullet points below, and referenced Christian's name 
specifiicany youmaywantto give Gartnsr/Christtana heeds up about that 

The only question we got on cy^^er a question about the Hub ATO on Sept 6 and whether security tesEihg for the 
Mark^place was done. The ansv/er { gave was that security testingWas now complete for the Hub, which is a critical 
corhponerrt of the ovarall Marketplace., Security testing corit^ucs for other components of the Marketplara, andCJylS is 
working to ensure that all security testing for Marketplace systems fe completed and associated authority-tQ operate I s 
issued before October 1. 

Jessica, pleaseletusknoyvifYOUgetanyfoIiow-upquestions thanks! 


Todd 


From; Trenlde, Tony (CMS/OIS) f mailtol 

SentJ Wednesday, Se^ember 18, 2013 8:30 AM 
To: F^rk, Todd; ^ntilib, Je^ca; Baitmarr, Fra nk (OS/AS/VOCIO) 


Cc; Jones^ Isabel; Mieike^ Dawn M.; Gook, Brian T. (CMS/OC); Snyder, l^cheite (CMS/OA); Graubard, Vivfen; Vahey, 

r^fra; RVer, Teresa M. (CMS/OIS)rMeIloi7MfchaeItCMS/OI5) — ^ ^ — 

Subject: RE: Cyter bull^ points for your review; plus a queshwi 


Todd, 


Tne bullets you have written are consistent with the letter as well as the call and statement from Gartner, in terms of 
other AtOs, I vrould not characterize it that way because it sounds like we are doing a piecemeal approach. In realky 
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Snyder, Michelle (CMS/OA?<| 
Sunday, Sepiembar 29. ^13 4S30 PM 
Chao, Kenry (CMS/OIS)j Pailc, Todd 
Re: Food lomoirovv 


i am such an ogre!! Of course - eat a cupcake for ms 

fvi 


Sent from my BiackE'eny Wireless Device 


rrom; 

Sent 

To: 

Subject 


From; Chao, Henry (GMS/QIS) 

Sant: Sunday, 29, 2013 02:41 PM 

To: Pailc, Todd 

Cc: Snyder, M?che!!e (G-IS/OA) 

Subject: RE: Food tomorrow 


I ihink you can come in and help dole out the food and say hello. People h^e want to be able to at least see you, in 
person, it really makes them feel like someone cares enough about their contr ibutlon to do this kind of thing so come in 
for at lea.'^t 30 minutes but don't wander to where the architects and engineers {the ones you took a picture with} are 
because they will never letyou leave. 


Michelle Is it ok for him to come m far 30 minutes an d help serve? 


Henry Chao 

DeputyCIO & Deputy Director, 

Offlee of information Services 
Centers for Medicare & Medicaid Services 



From: Park, Todd (maiito: j 

Sent Sunday, September 2013 2:38 PM 
To: Chao, Henry (CMS/OIS) 

Ca Snyder, Michelle (CMS/OA) 

SaWeet: Re: Food tomorrow 


I have the cupcakes — to manage expectations, they did not have 15D red v&Vet In s tock, so I had to supplement with 
oiherflavofs :) i wll subsequently acquire Ice cream. Will hit the road after the S pm call - so would sstiinate'sn ETA of 
6:30-7 pm. My dad Is driving me to ensure the well being of other people on the road ;) And as per my promise to 
Michelle, I will drop off the cupcakes and ice cream and immediately leave ;) 


Frotn: Park, Todd 

Sent: Sunday, September 29, 2013 01:41 PM 
To: ’henry.chao5:.'.£.'^lT"’^^'*^^ 

Co; ’Mictieile.Snyder'^ 
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Sut^ect: Re: Food tomorrow 
Anion it:) 


From: Chao, Kerry (CMS/OIS) r rnaito:! 
S^£: Sunday, September 1 % 2013 01:31 PM 
To; Park, Todd 

O:: Snyda^, Mferheile (OIS/OA) <| 

Subject: RE: FocxI tomorrow 


Cupcakes are fbranYtime, " 


Ice cream has never been served here so that will be a surprise. 

Tammy (CGi master st taking care of aU the staff) h as already ordered tonight's dinner so you are in charge of tiie cut of 
the ordinaryf surprises. 


Henry Chao 

Deputy CiO St Deputy Director, 

Office of information Services 
Centers for Medicare Sc Medicaid Servces 



ft-om: Park, Todd 
S©it: Sunday, ^ptember 29, 2013 1:29 PM 
To: Chao, Henry (CMS/OLS) 

Cc Snyder, MIcbelie (CMS/OA) 

Sufejocfc Re: Fbod tomorrow 



I can also totally bring dinner Just let me know.... Called Georgetown Cupcake, and am going to stand In ifne at 
store now for d>e cupcakes :) 


From: Park> Todd 
Sent: Sundayyi 
To: 'henry.cb 
Gc: 'Mkhelli 
Subject: Re: pDod tonrwnrqw 


2013 01:24 PM 


Do.n't think I got the other emalt.... But to clarify, I should not bring dinner, but rather, red vely et cupcakes from 
Gecffgetown Cupcake and Hasgen Daz for 150 folks - yes? If so, I should jump orj that ~ the Georgetown Cupcake part in 
particular -** right .now _ 


From: Chao, Henry (OlEi^OIS) F mailto.:^ ^ 


Sent: Suftday, September 29, 2013 01:20 PM 
To: Park, Todd 

Co: Snyder, Miendis (CMS/OA) ' ' ' 

Subf.ect: Re: Food tomorrow 
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See m‘/ ister email.-. 

Red velvet cupcakes from Georgetown Cupcakes and Hasgen Dazsicao’eam bsrsfor about 150 pc-op-le. 

MenryChao . 

Deputv' Chief information Officerand Deputy Director 

Office of infcrmistion Services 

Centers for fv^edlcare &. Medicaid Sen.'ices 

7500 Securltv' RVd 

SEttlmcre, ,V1D21Z44 


¥vom: Park, Todd 
S^nt: Sunday, Septe.rnber 29, 2013 01:13 PM 
To: Qiao, Henry (CMS/OIS) 

Ce: Snyder, MIcheile (G4S/OA) 

Silked;: Re: Food tomorrow 


HI Henry^forfoughly hew many folksshoutd I get dinner? Don't spend mare than 10 seconds answering, and err on the 
high side;) 


From: Chao, Herry (CMi^'OIS) f maiito:! 

Se^t: Saturday, September 28, 2013 11:57 PM 
To: Park, Todd 

Cc: Snyder, Mich^ie (G4S/0A) <| 

Food tomorrow 


The address is 593 Herndon Pkwy, Herndon VA. CGi is on the 3rd floor and you need an escort to get in on the weekend 
so you can call me, 

There's a fantastic admin person who takes careoforderingfoodso J will check wfth her in the morning on whether if 
lunch or dinner is better and also get you a count 

ri! call you In the morning but I think likely I think it wiii be dinner. 


Thanks. 


Henry Chao 

Deputy Chief Information Officer and Deputy Director 

Office of Information Services 

Centers for Medicare & Medi cald Services 

7500 Security BK'd 

Baltimore, MD 21244 



S-ant: Saturday, S^tember 28, 2013 11:34 Pl'1 
To: Cnao, Henry (CMS/OIS) 
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Cc: Snyder, Michelle (CMS/OA) 

Sribject: Food tomorrow 

hi Heni7, 1 have permission from Michelle to bring /all food tomorrow in Herndon on the condition that 1 leave 

immediately after delivering the food and not involve you in a long and super -interesting conversation that takes time 
sway from your incredibly important work © 

Question #1: for how many people should i bring food? I want to bringfoodforever^/one that is working there. 

Depending on your answer, I may bring lunch or dinner • dinner if the number is really big, because it may take me some 
time to rustle up that much food © 


Question #2; What is the address again of the Herndon building? 
Thanks! 

Todd 
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FroiTs; l^rk,Todd tmalitp: ! 

Stsnn Monday, Sspfcgmber ^, .2013 11:40 FW 
To; Fasching, laura; Chao, Henry (G-i^^OiS^j-SriBfl, OavMi Diumgoolei Christopher k; 

mididte.sny^Fr”'- ' 


Um, Peter (a4S/CTR); Sterma, Hemsnt fCa Fed era!) 
■Jhunion, Robat (CMS/GTR) ‘ ' 

RE: t'iew ecpsp-sion 


|; Oh, Marie U. (CMS/OISj; 


iaiira, thanks so vary much Henry and I wSlbe awake.bydur mo!^s, andbnlirie,aw 2 {tir;gv.'ith bated breath 
what your team's mgenurtycanwokup! 


From:. Fasching, Laura fmaifro: 

Sait: MoTKJay, feptEmber 30, 2013 1.1:34 
To: Park, O'odd; CJw, Henry (CMS/oiS);.a-nsi!, David (David); 
Cc: Um, Peter (CHS/CTR); Sharma, Hemart (CSI Feda^i) (, 
Tnii;sS:on, Robert (CMS/CTR) 

Siibject: RE: New expanston 
ImpHMtance: High 


R: michEJIg.£nvderl 

MarkU. '(CMS/OIS); 


Tofld, Uisnks tho team Is looking for optiora to assist' in speeding up the deploymehts & VM buifcfs give' us a llrtfe hitto 

saav/natelse we can da to assist. 


■Jhanks 

Laura 


Uara Fasching 

Qire cfof ol Public Secto r Straibaie Aecounis I Verizon tairgaacK 


822 VV LssCofnaa Blyd, Irving. Te:®s. 


^ ftrami' Park, Todd r ma ilto 

Se^ifc! f1ffiKfey/Sef^ihbCT 30, 201311:02 

To: (Q'WOIS); Smaft, OavxJ (David); Dmmgooie, Cfristopher R; 

Heltsirt (CS.Fede ral) MSEk U. (CMS/0iS>f , ' 

TnurOTn,,RopHt (CMS/Cm) 

Subject: RE: N^:©fpafi^p 
^portanoa; High' 

D^p Laura, David, aref Chris. thankyouM very rnuqh for the heroic v«ri( you have doneand are doing to support' 
Marketp^acegomveJ Wehaveonemorefavortoask: 

i understand from .Henry that a Veritori/rerrernark team Is.worWi^ very hard to activate sH tho new hard\irare that's 
arrSvsd at.Cuipepen 

E'.'flry new VM, every ounce of additionarpowe'r adds materlaHy to tfie probability of a succesrful go.liVe tomorrow 
morning. 

tf there is any possible way.that vou,ccu!d'2x, 3)i,.4)c prpgressby hati'ing teams v«sfk in parallel tonight^ thaiwould be 
3bsQlute]yamo7.ing. 

fossiWo?. 
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This is a hsston'c rtioment, ancl the team Is'so vecy c^se to pifilng df a feat fbr 'theages fetiiere any way to artip. things 
lip even fiijther? 

We Would be masslvely^.m'assJv^y ap^rectatlvfi pfeise contact Ketwy with qu.esttGns/thhu'ghfsl 

All the best, 

Todd 


Todd Park ■ ■ ' , 

United States Chfef Technology Officer and Assistant txstiie Presideht 
S^cutive.Offfce ofthe President 



From: .f^sdiing^, Laura rmai{fa): 8 _ 

Ss\t: Monday^ Septernba-30, 2013 7:22 PM 
To; Obo, Herey (CMS/OK); Pai^^ Todd 
Cc Um, Peter (CMS/m^ySharma.Henfert (03 Federal) (| 
Thurston, Robert (OMS/CTR); Feschira^ Laura 
&!&ject5 RE: New expansion 


Oh, Mark U. (CMS/OIS); 


Ad, gqodnewsl 

The first 2 new compute poofs are being presentedto infinfCefiterribv^, bamr^ any Issues they should ba ready tnabotit 
an hour, 

Ne*.y Compute Pmi. One (630}: 

Gh£;-120O 

:RAM.:. 24 TB . ■ , ' ■ ■ 

Storage: ^OTB 

IfewCotftpyte Poof Two T 

Cfiz: i2Q0 

fiAMi24Te . ' 

'Storafie* .4aT3 

As wa discussed today fay ptjttingAOTB of storage on each compute pool this leaves you whh onty ^O.'rB of 
Storage which we will ■ailpcate.lOTB to each pool and turn^them up sometime. tdmdfroWv 


To meet the pevif storage reciuirementsthat we were given todav,wh’!chl5‘40TS for each new compute pool, 
which there will be 7 new. compute pools - are re iocadng/Te affpeating a MetApp device to your 

environm.erit. To support this new Net.App device, we now haveto have additional powerruatothe cage^ as 
we had; already utilized the pmverthat was in plac^ for previously- 'planned e^pahsions. 


We.antidpatethattheoevrpower bundswllibe completed atnoon tomorrow, and we have. sthedufsd the 
NetApp technicians to be at., the data .cerrter at: noon to configure the devices, . iVtierr they, have .completed- 
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thaii* 'Afork vve can present the 'Ssddttiona} storsg&'ts the'^econd s^'df a^'CQ'mp’jte pC)bf&; Wh'ila' wp 3 .re 
workmg to, hava the con^ipula and lOTB'of storage st»dd Up e?.iH;er fnjJie.da^ tOiTWffbw We sheidd have the 
fu!l storage provision very late on iO/loryery earhyon iO/2. 


Wow Compute 
Poof Three (632)t 
She: 1200 
BAiMt 2.4 TB 
Storage; iOtB 
(rieee;!>f!i.fs'JS&230 
Jo 5.upnk»(l SOTRi 


Nev.' Compute 
Pool Four f63?3: 
Ght: 1200 
??AM: 2.4 Ta 
Storage: 10 T8 

■ncstJ i:o move 
539am support 
SQTat 


i v/dl know rocMe about the final set of 3 new compute pools; tbmOirdw afternoon. 

if you need more storage than what was discussed today, please iet us know as vve will need to source 
additional devices. 

Thanks 

Laura 


taui-aFaschlns!; 


'Stratsgic Aceoui^s Vsrfaon TsfremaA 
,5rvlng.T0)!aa. 7E039 


R-am Chao, He«tv,(CMS/OB) 

Sslf, McndayjSeptemNr ,30, 2013 12:06 AM 

To; Park, TESJd; Facing, Laura' . 

Cg Urn, Peter CCMS/CTR); Sharma; HemantfCGI Federal) Oh, Mark U, (CMS/OIS); 

Thurston^ Robert (CMS/.CTR) 

Subject: RE: NeW-expanslon 

Working with Peter and H^rnant to configure the , Production enviror.tT^nt to.accominodate whaii, cs.l cufatedoft'dia 
back of an ^nvelope.tobeaboutssO Virtual Mach'Hies by momuig of October 1** and takingaconservati'/e estimate oFa 
more' complex set of processing loads through the system l Uiihk We Will hav:e‘ more iike.a range Bety/6e'h9(3k toilQk 
concurrent users depending on the level of con^plextty oftlie processing loads. 

Will get bloserto real numbers as we run more tests and Terremark/URS builds the VMs and release theni to us' to 
configure. 


Henry Chao, 

Deputy CIO & Deputy Director^ • 

OfSce b? information Services 
Centers for iyledica.^ &'Medicaid Services 
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Pram; Pariy Tockl 

Ssfj-fc Sundayj September: 29> 2013 PM 
Tot *Fa$chlng^ Umra'; CbaOf IHenry (CWS/OiS)'- 
Ssiblect:. REr. Wew^expanslon 


Uura, fantast{c;,..thank you! 



Hen.iY,quidcqaestkjnr if these tv\^ex:paJislQnsg^ciperationaSzed for go 'live, hoteferdAwri thepstfifOtha 130,000 
cOncurrenl users does it take us? 


And Laura, when would the 3'^* third getdeployorJ? 
ThanksI 


from: Fssrfiing, i:aura ». ' ~ WS 

Saif: Sunday, September 29, 2013 11:32 PH 

Cc Faschifig, l,aura' 

hievy expanson 

Henry a Todd 

Tha builds are going well thus far. We working tocompfete the first third of your expansion. The team; is working new 
and we arehdpuig to deirver thciirst 2500 Ghiearilerthan COB with the second third of approx- leOOGhz later on 
Monday. 

I Will be at the XOC in OalumWa tomorrow we arerunningS shifts.ofaPM/SM resoume to coordinate and: a-Ssfst with 
qpestfon^. requests & escalations. 

1 will update yod all on the equipment agatfiealt/tomprrow.- 

thanks' 

laufii 

Laura FeseWog 

OIre ctorof PuhlicS&cto f StraSgaic. Accounts { VeffeoffTdrrawgifc. 

' ijvihg, Texas, 75035 
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Fascbmg, Laura 

Tuesdoy, OctoberOl, 2013.253 AM 

Porki Todd; Chao, Henry (CMS/DIS); SnaJt David {David); Orurrigooie, Christopher R; 
michelie-shyder ^^^^^^^ Fasdr^g) Laura. 

Um, Peter-{CMS^cnQ; SharmiiWeinant (C^ F^era 8 

Oh, MarkU. (CMSAHS);Thurstdn, Robert (CM^CTR) 

RE; New expansion 


Todd. & HsnrVj 

URS t-jss brouBlitld more resourcesto assistvfl'th trctibfe.shoot!ngand.fcuilds, 

Wa continue to keep the tesms engaged and working toward ourgcraiof a successful launch. 

Laura 

LaOra Fasching 

DUc-ctor of Public Sactof Slratsgfcrtcosisiss } VetfeW Terremark 
222 VV Lss Csitnas 31vd, ifvJng, Te;^Si 75039 

From:' Raschfng, Laura 

Serrt; Tuesday, Octdijer 01 .^ 2013 2 ; 08 .AM 

To: R^rk, Todd; Qtab, Hent^' (CMS/fiS);' S(toI!, David (Davi d); Dru rngoole, Ch ristopher R; mlcheHS-snyder 
Ca Um, Patet (CMS/CfR); Steijria, Hemstt (CSI, Federal) Oh, Ma* U. (OK/ovs); 

Thurston, Rob^ (CMS/C7R);'Fasdi!rigf Laura 
SubJ.ects 'R£: .New expansion. 

Todd;& Henry , , 

As.:we have been working with your tearn to assistyoo in making the Marketplace launch- succ^'fi].l,''W$cont!nue.to- 
work w.adept to your needs. 

Right now, 1 understand that while we add more compute, toe team needs the W(ls built faster. 

In this' tasking we d's.ifig.the best'priacUces toat-were agreed to as'to not induce risk ipto your builds 

• such -as utilizing toe kickstart process (custom tempiates of the hardened Tma^) for RHEL.5 a 6; Windows VMs, 
toa'SflLVMs utiiiiesa standato image which requires additional time to harderi.to NlSTstandards^ 

However we have found that due to the i^za.pfthis-cnvironmcnt lSbo+VMs, wedTeseeihgan impact 'to running too 
many builds at on ce. As doing too builds at once slows down the process by overwhelming the Virtual Center, server. 

The options-we have to increasetho speed, of the VM builds In&pduce a slGNlHCANrt Risk t o the environment We do 
not sL^est eithCT of these options, butl wanted to give you a full picture erf'toe situation) 

X. VG Client Basically d.cning of existing VMs and while tfil.s may seem an ea.? y option . 

a. Old network config's arid FW rules have to be rertiovedfirttv Then the new ories need.to be done, veiy 
time consuming and.manual 

b. Finally) theseVMswijIriotappear to ICenter.WIthqutthen-j being visible in lCen.ter,.tfiesey.VIsvriiI,be 
unmanageable in the ftiture & you will not beabls to manage the compute resti urces. 
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2 , VM import may gettheVM's in pJacefeiit they have the e;aGt saitie is sues 3 S noted abovei 

We have engaged our vendor URS'to Increase stafftig during thIs'iSmei follow lip shortly oh the resufts of that; 

er-deavor. If wfe cSn get a couple more people Irt now ft viiHl Essistvvith allowing some’team members to fecus on the' 
builds while other field calls and assist with trouWeshgotmg; 

lust'as.we did yesterday when w^e receive. an requester mare'^raga.fe^urces, than w’ere in either the reserve 
rapacity or in ihdexpanston order. Wa will woitcto adapt to your n^ds. during as you bnng the Affordable Care Act's 
Insurance Excfra.nges to the American public, 

Thanl^ 

Laura -• - - -- . 


Laura FsachfOg 

DHBctorof Public Ssc'or Sfi-ategic Accounts ( Verizon Terre^jSsk 


222W Lss ColinssBIvd, Ir/ing, Taxas; 75039 


TrOm: PaH^ Todd rmailto.-§ 

^nt; Monday, ^pteml^ 30, 2013 IIMO Pfd 
To; Faadiing, Laur a; Qiao, He nry Small, Dovid (De.vid); Drumgooie,^ Christophec R; 

e& Um, Hsmafit: (CGI Federal) {| 

ThUi-stOd,- Robert (CMS/Cm) 

Subjoc't: expansion 


|;Ohy mrk U. (C^IS/OIS); 


Lpura, thante so veiVj-very much Henry and I will be awske; by oiir mofailcs, a^donfoe. awaiting with bat^ breath 
what'ydtff t'eaw'sjngah'ulty ca'fi cdc^ upt 


fr'omj F^diing, Uura [n^ittgj 

Settt!' Monday, ^tember 30> 2013 11:34 PM 
To: Parte, Tpdii|;'OiaPi' Henry (CMS/OIS); Smalf, Davfcl (Davi d); Drumgoofe, Chfi^ppher R;; michellaj 
Cg Um, Peter pMS/CTR); Shainia, Hemant (CGI f=edsral) C| ~ 

^bert C05S/C3R) 

R£: N^ieixpansion 
icffpeftanoai High’ 


Tqdrf,,th3r),tethetfiam Islopking fdroptlonstoassstin speeding up the dejrfpymeritsSVM builds': gjve.ysa{ittie.bitt3 
seewiiaidse weean tfoto 'assist. 


liianks 

Laura. 

Laym Fssching 

pir ge-^roL fiubfeSgetiy Stratsgic AcdoLaitsI •V^ffeOftT'WrerTihrk' 
Irang/ Texas. 75039 


Front;- Park. Todd f nhaiftol 

Sent: Monday, September 30 ,- 2013 ll:.d 2 PM . . 

to: Fa$diir^,.i^.Ufg;. OidOr iie nfy (Q^S'OIS); Snelfipdiid (DavW); Dr urn^ole,i C 6 fistpph|f R;: 
mtchel!e.snvder^ ^'''°^*""‘ 


Cg Um, Peter (CMS/.CTR); Sharme, Hemant (CGI F^eraD.'C M 


I; Oh'„Mar{c,U.XCMS/0!S)7 
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Executive Summary 

The data passing through the HealthCare.gov website is one of the largest federal collections of 
personal information ever assembled, linking individuals’ information from multiple federal agencies 
along with state agencies and government contractors. In order to browse insurance plans, users must 
input personally identifiable information, including: contact information, home address, birth dates and 
social security numbers for all family members, and employer and income information. Independent 
security experts have warned that such information is vulnerable to hackers and cyber criminals because 
of inadequate testing and security built into the HealthCare.gov website.* 

While the Centers for Medicare and Medicaid Services (CMS) had the lead in the development of 
the Federally Faeilitated Marketplace (FFM), including the HealthCare.gov website, former U.S. Chief 
Technology Officer (CTO) and Assistant to the President, Todd Park, appears to have been intimately 
involved with the development ofHealthCare.gov, including its cybersccurity standards and protocols. 

On November 13, 2013, Mr. Park testified under oath before the House Oversight and Government 
Reform Committee (OGR) that he did not ^actually have a really detailed knowledge” of the website 
before it was launched and was “not deeply familiar with the development and testing regimen that 
happened prior to October 1.”^ 

However, a review of emails provided to the House Oversight and Government Reform Committee 
from the Department of Health and Human Services (HHS), which oversees CMS, indicates that: 

• Mr. Park communicated regularly with all major government and contractor personnel 
involved with the website’s development prior to October 1; 

• Mr. Park appears to have been a principal liaison to the White House and the press about 
development of the HealthCare.gov website prior to its ill-fated launch; and 

• Mr. Park appears to have been a contributing source of schedule pressure that the website be 
launched on October I, 2013. 

While serving as U.S. CTO and as an Assistant to the President, Mr. Park was Co-Chair of the 
Affordable Care Act Information Technology Exchange Steering Committee (Steering Committee). 'Fhe 
Steering Committee met monthly during key stages ofHealthCarc.gov development, and was tasked 
with directly overseeing both security and privacy interagency working groups. In addition, the Steering 
Committee’s charter explicitly directed its participants “to promote resolution of key IT strategy and 
policy issues tliat impede progress on Affordable Care Act activities across the federal government with 
the state exchanges.”^ 

A month before the website’s launch, Mr. Park emailed former CMS Chief Information Officer 
Tony Trenkle about convening a meeting on Marketplace security in the next week that “would include 


' Jim Finkle and Alina Selvoikh, "Some cyber security experts recommend shutting Obamacarc site,'’ Reuters (November 19, 2013), available at: 
http ://v»vv'w.rcutcTs.com/arlic!e/201 3/1 l/I9/net'US-usa-heallhcare-security-idUSBRE9A{0NR20l31 1 19. 

’ "Obamacare Implementation -The Rollout of HealthCare.gov,” House Oversight and Government Reform Committee, November 13, 2013, available at 
http://oversight house.gov/hearinE/Qbamacare-implementation-rollout-hcaUhcare-gov . (Hmphasis added ) [There if a discrepancy between the Committee 's 
official transcript and what Mr. Park said at the hearing. The ojficial transcript quotes Mr. Park to say, “not even familiar with the development and 
testing regimen that happened prior to October 1. “} 

‘ 'Ihc Affordable Care Act IT Exchanges Steering Committee Charte’, May 2012. {OSTP ACA 000161 - OSTP ACA 000168j. 
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a discussion of our defenses, the threats, and our responses to the threats.”^ In that same email, Mr. 
Park asks for a memo “that basically outlines the protection strategy, including threat assessment 
and response strategy. This will be a memo that we pass on to WH leadership as well, fyi - for 
internal use only.”^ 

It is difficult to reconcile Mr. Park’s statements under oath with the emails received thus far from 
HHS regarding his involvement with HealthCare.gov. The website was flagged in the weeks leading up 
to October l'^^ by CMS Chief Information Security Officer Teresa Fryer, who provided warnings “both 
verbally and in a briefing that disclosed ‘high risks’ and possible exposure to ‘attacks.’”^ Due to those 
concerns, Ms. Fryer recommended denial of the FFM’s authority to operate, a critical authorization 
needed for the system to launch on October 1, 2013. 

Following the failed launch ofHealthCare.gov on October 1, 2013. House Science, Space, and 
Technology Committee (SST or Committee) Chairman Lamar Smith requested that Mr. Park testify at a 
hearing on November 19, 2013 to examine security and privacy concerns in conjunction with the 
website. The White House declined the invitation, and subsequently refused to make him available on 
multiple oecasions, explaining that Mr. Park would only testify if he was subpoenaed. 

Instead of participating in a hearing, the White House offered to make Mr. Park available to brief 
Members of the Committee’s Subcommittee on Oversight, which was scheduled for September 10, 
2014. However, the White House canceled the briefing less than 24 hours in advance when they were 
informed that the meeting would be transcribed. 

Mr. Park’s refusal to testify before the Committee about his involvement with the security, 
development, and testing of HealthCare.gov has left the Committee with no other recourse but to 
authorize a subpoena to compel his appearance before the Subcommittee on Oversight on November 1 9, 
2014. In addition, because of the number of discrepancies in Mr. Park’s testimony before Congress and 
Mr. Park’s emails provided by HHS, the Committee also authorized a subpoena of OSTP for any and all 
documents related to Todd Park’s involvement with HealthCare.gov. 


* Kmail from Todd Park, U S. Chief Technology Officer, OSTP, to Tony Trenkle, Chief Information Officer, CMS. et.al. (August 28, 2013) (HHS-0 110802) 
(Emphasis added). 

’ Ibid, 

^ Shar>d Attkisson. “High Security Risk Found After Healthcare, gov launch,” CBS News (December 20, 2013), available at: 
http,7/uw\v,cbsnevvs,eom/ne\vs/)iieh-secuntv-risks-found-afleT-heaUhcaregov-l3unch/ . 
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I. Introduction 

It appears that Todd Park was involved with cybersecurity standards and protocols for the 
HealthCare.gov website, despite statements to the contrary made by both him and Dr. Holdren. Mr. Park 
participated in background briefings for the press that included public assurances of the safety of the 
website prior to its launch in October 2013. Further, despite his testimony before the House Oversight 
and Government Refonn Committee last November, Mr. Park appears to have been intimately involved 
with the development of the TieaithCare.gov website. Finally, in contradiction to statements made by 
Office of Science and Technology Policy (OSTP) Director John Holdren, Mr. Park was employed by 
and worked for OSTP, and in that role, he appears to have been the main liaison between HHS, CMS, 
and the White House on HealthCare.gov development. 

This report reflects the information available to the Committee thus far. It explains the need for more 
information from OSTP in addition to Mr. Park’s testimony before the Committee, given concerns about 
potential obstruction of relevant information about Mr. Park’s role and responsibilities in the 
development, testing, and security of the HeaithCarc.gov website. 

II. Mr. Park’s Involvement With Cybersecurity Standards & Protocols for HeaTthCare.gov 

and Providing Public Assurances 

Congressional investigations into the flawed HealthCare.gov website have identified varying degrees 
of concern among government officials involved with the development of the website. A Centers for 
Medicare and Medicaid Services memo on the Federally Facilitated Marketplaces (FFM) System dated 
September 3, 2013, less than one month before going active, noted that “[tjhere is the possibility that the 
FFM security controls are ineffective,”^ and that “[ijneffective controls do not appropriately protect the 
confidentiality, integrity and availability of data and pre.sent a risk to the CMS enterprise.”® Later that 
month, a memo addressed to CMS Administrator Marilyn Tavenner stated, “From a security 
perspective, the aspects of the system that were not tested due to the ongoing development, exposed a 
level of uncertainty that can be deemed as a high risk for FFM.”^ Further, a senior information security 
expert at CMS testified that she recommended against launching the HcalthCare.gov website on October 
1, 2013 because of “high risk security concerns.”*^ 

In multiple communications from OSTP staff, it has been repeatedly stated that Mr. Park had little 
involvement in the development ofHealthCarc.gov prior to October I. 2013. Specifically: 

• In a letter to the Committee (dated November 8, 2013), OSTP Director John Holdren stated: 

“OSTP has not been substantially involved in the privacy and security 
standards that are in place for IIealthCare.gov. 


7 CMS Memo, “Authorization Decision for the Federal Facilitated Marketplaces (FFM) Sv'Stem.” available at: h»p://overs!ght.hoiise.g ov / \ vp- 
content/upioads/20 1 3/1 1/9.3 . 1 3-Trenkk.Ddf 

8 Ibid. 

9 Memo to Marilyn Tavenner from James Kerr and Henry Chao, “Federally Facilitated Marketplace - DECISION,” September 27, 2013, available at: 
htlp://u^'^v.scribd. com/doc/ 1 80332001 /CMS-Memo-on-Marketplacc-Scc»ritv 

10 House Oversight and Govemmert Reform Committee pres.s release, “CMS Officials Launched HeaIthCare.gov Against Warning of Agency’s I’op 
Cybersecurity Official,” December 20, 2013, available at: httD://oversieht.house.gov/relcase/cms-offieiais-launehcd-hcalthcarc-eQv-waming-ageiKvs-tor>- 
eyb ersecuritv-offlcial . (Emphasis added) 

OSTP letter to SST, November 8, 2013. (Emphasis added). 
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• Before the House Oversight and Government Reform Committee’s Hearing on November 1 3, 
2013, Mr. Park himself stated; 

“/ donU actually have a really detailed knowledge base of what actually happened pre- 
October 1. 

‘7 am not deeply familiar with the development and testing regimen that happened 
prior to October 1. So I can *t really opine about that. 

“I am part of an all-hands-on-deck effort to mobilize across the Administration to 
actually help under JeffZients* leadership. And in the lead-up to October i, that 
wasn 7 part of my role. 

• In a letter to the Committee (dated November 14, 2013), OSTP Director John Holdren stated: 

“(TJhe Office of Science and Technology Policy (OSTP) has not been 
substantially involved in the privacy and security standards for 
HealthCare.gov. Thus, neither Mr. Park nor any other OSTP staff member 
is in a position to testify on the data security standards of the website. 

• In a letter to the Committee (dated July 3, 2014), OSTP Director Holdren said: 

“Mr. Park and OSTP personnel have not been substantially involved in 
developing or implementing the Federally Facilitated Marketplace *s (FFM) 
security measures. In attempting to arrive at an appropriate accommodation, 
this is worth emphasizing. Mr. Park is not a cybersecurity expert; he did not 
develop or approve the security measures in place to protect the website, and 
he does not manage those responsible for keeping the site safe. 

Notwithstanding these denials, many of Mr. Park’s emails to HHS and CMS leadership in charge of 
the development of the HealthCarc.gov website show what appears to be substantial involvement with 
the development of the website’s privacy and security standards. One email from August 2013 shows 
Mr. Park emailing Tony Trenkle, who was CMS Chief Information Officer at the time, about convening 
a meeting on Marketplace security in the next week that “would include a discussion of our defenses, 
the threats, and our responses to the threats. Mr. Park then asks Mr. Trenkle to prepare a memo 
“that basically outlines the protection strategy, including threat assessment and response strategy. 


“Obamacare Implementation - Tlie Rollout ofHcallhCarc.gov,” Hmjsc Oversight and Government Reform Comminee, Novemher 13, 2013. available at: 
hup //oversight.houscgov/v\-p-contcnVuploads-^0 14/06/1 l-13-13-TRANSCRIPT-Obamacare-lmDkmentalioivThe-Rolloiit-of-HealtbCare.eov_.pdf . 
(Emphasis added). 

ibid, (Emphasis added). fThere is a discrepancy between the Comnuttee's ojjicial transcript and what Mr. Park said at the hearing. TheoJJicial 
transcript quotes Mr. Park to sav. “not even f amiliar with the development and testing regimen that happened prior to October 1. "/ 

Ibid. (Emphasis added). 

OSTP letter to SST, November 14, 2013. (Emphasis added). 

OSTP letter to SST, July 3, 2014, (Emphasis added). 

Email from Todd Park, U.S. Chief Technology Officer, OSTP. to Tony Trenkle. Chief Information Officer, CMS, et.al. (August 28, 2013) [HHS- 
0110802] (Emphasis added). 
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This will be a memo that we pass on to WH leadership as well, fyi — for internal use only.""^^ Further, 
Mr. Park states that he wi!l reach out to the CEO of Palantir Technologies, a computer software 
company that specializes in data analysis, ‘‘'Alex Karp today to let him know that we would love to 
speak with him about cyber and the Marketplace - we should do a confidential, cone of silence 
consult with him after we*ve had our meeting as per item 1, not before; Pll set this up at the 
appropriate moment. 

Following that call on Marketplace security, during an email exchange between Mr. Trenkle and Mr. 
Park, Mr. Park asks, ''what is the best and most efficient way to prep and utilize MITRE as an external 
validator''^^ and then suggests that “on the Palantir call, my thought is to ask them to assume the role 
of a general cyber sounding board, ask them what they would be most worried about if they were us, 
and how they would think about defense/mitigation.''’ ^ 

In addition, Mr. Park notes that the memo he requested earlier is for internal eyes, but that it may be 
used for external purposes as well. Frank Baitman, Deputy Assistant Secretary for Information 
Technology at the Department of Health and Human Services, then jumps in on the email chain and 
writes, “But, for public facing material, we need to he careful to avoid too many details, and thereby 
avoid providing an instruction manual or worse, a challenge to malcontents to engage,'^ which Mr. 
Park concurs with in a responding email. 

While these email exchanges occurred about one month prior to the launch of the HealthCare.gov 
website, Mr. Park was involved with security issues of the website much earlier in its development Mr. 
Park participated in a meeting entitled, '‘National Strategy for Trusted Identities in Cyberspace 
(NSTIC)” at the White House Conference Center in August 2012 that was “a technical briefing with 
CMS for an updated [sicj on their identity management work for the A CA Exchanges. A few 
months later, Mr. Baitman forwarded an email with the subject line “Meeting with the National Security 
Staff and 0MB” to Mr. Park where he wrote, “Todd, hcre^s the note from Michael Daniel Would you 
want to follow up with him to get more details on the objective of the meeting? Tony and I chatted 
about it this morning, and we're concerned that there'll he a push to makeACA identity proofing 
NSTIC compatible from the start: that's definitely on our roadmap, hut as we discussed, that needs to 
be V.2. In fact, that point has been made at previous WH meetings.”^^ 

III.Mr. Park’s Misrepresentation Before Congress 

On November 13, 2013, Mr. Park testified before the House Oversight and Government Reform 
Committee after he was subpoenaed to appear.^^ The following excerpts from the hearing transcript raise 
several questions: 

Ibid, (Cmphasis added). 

Ibid. (Hmphasis added). 

■*’ Email from Todd Park. U.S, Chief Technology Ofllcer, OSTP. toTooy Trenkle, Chief Information Officer, CMS, et al. (September 4, 2013) (HHS- 
0 106529] (Emphasis added). 

Ibid. (Emphasis added). 

Email from Fraitk Baitman. Deputy Assistant Secretary for Information Technology, HHS, to Todd Park, U.S. Chief Technology Officer, OSTP (August 
28, 2013) |HHS-On0800] (Emphasis added). 

Email from Laura Lynch, 0MB, to Todd Park, U.S. Chief Technology Officer, OSTP, et.al, (August 21. 2012) [HHS-0 106380] (Emphasis added). 

Email from Frank Baitman, Deputy Assistant Secretary for Information Technology, HHS, to Todd Park. U.S. ChiefTechnology Officer, OSTP (April 
12, 2013) [HFlS-Ol06600](Empirasis added). 

“'Obamacare Irnplememation-The Rollout of HeaIthCare.gov,” House Oversight and Government Reform Committee, November 13, 2013, available at: 
http:,Vovefsight,hQuse.2ov/\vp-content/unlQad!v'20!4/06/l l-l3-I3-rRANSCRtPT-Obamacarc-lmpletncntation-The-Rollout-of-IlealthCare.gov .pdf . 
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• Rep. Scott DesJarlais asked: “Okay, Mr. Park, would you, knowing what you know noM’, ask to 
have this [the HealthCare.gov website] delayed or pushed back? " 

Mr. Park responded: *7 don V actually have a really detailed knowledge base of what actually 
happened pre-October 1. I don V know what levers were available. So I would hesitate to 
make any point now. 

• In response to a question by Rep. Trey Gowdy regarding how much more testing of the website 
Mr. Park would have done prior to launching: 

Mr. Park replied^ “I am not deeply familiar with the development and testing regimen that 
happened prior to October 1. So I can *t really opine about that. 

• Rep. Gowdy continued this line of questioning: “If you are being asked to fix this after October 

in a couple of weeks, where were you for the first 184 weeks after the so-called Affordable 
Care Act passed? Where did they have you hidden? ” 

Mr. Park replied: “Sir^ in my role at the White House as USCTO in the Office of Science and 
Technology Policy ^ lam a technology and innovation policy advisor. Sol had a broad 
portfolio of responsibilities. 

Rep. Gowdy : “But you are obviously good enough that they brought you in to fix what was 
broken. It has been called a train wreck. That is not fair to train wrecks. It has been called other 
things. They brought you in to fix it. Why didn V they bring you in to start it? Why are you doing 
a reclamation project? Why didn 7 you build it? ” 

Mr. Park: “I am part of an all-hands-on-deck effort to mobilize across the Administration to 
actually help under Jeff Zients ’ leadership. And in the lead-up to October 1, that wasn ’t part 
of my role, 

Mr. Park’s denial of “detailed knowledge” and familiarity with the website in this hearing does not 
appear to be supported by many of Mr. Park's own emails to HHS and CMS. In one email from Mr. 

Park to Mr. Henry Chao, CMS Deputy CIO and a key manager in the development ofHealthCare.gov, 
sent just two days before the HealthCare.gov website was released to the public, Mr. Park asks about the 
performance and diagnostic testing of the whole system, how many users it can handle, and what 
happens following certain user number thresholds. Specifically, Mr. Park asks: 

‘*—Has the team run performance/diagnostic testing on the whole FFMy so that we know that 
the Marklogic bottleneck is in fact the critical, rate-limiting one, as opposed to another 


Ibid. (Emphasis added). 

Ibid (Emphasis added) [There is n discrepancy SetHven the Committee’s ejpcial Iramcripf and what Mr. Park said at the hearing. The official 
transcript quotes Mr. Park to say, "not even familiar with the development and testing regimen that happened prior to October I.”! 

^ Ibid. (Emphasis added). 

Ibid. (Emphasis added). 

Email from Todd Park, U S. Chief Technology Ofilcer, OSTP, to Henry Chao, Deputy CIO, CMS, cl.al (September 29. 2013) fQSSI'OGR-0000!33317]. 
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bottleneck in, say, Plan Compare or elsewhere, that could also constrain the number of 
concurrent users? 

—In other words, does the performance testing the team is doing make you confident that the 
FFM across the board can indeed take 16,000 concurrent users, rising to 60,000-70,000 with 
the new hardware? — So far we were able to run 2000 concurrent users in IMPIB... 

—Are we going to run performance testing today and tomorrow on the growing aggregate 
collection of hardware (not just one unit of it), so we validate the projections of 16,000/60,000- 
70,000 with the actual production machinery? 

—Are we testing to make sure that incoming traffic gets properly had balanced across the 
VM/units? (This may be accomplished by the previous item) 

—What happens after the 16,000/60,000-70,000 threshold is reached? Is there gradual 
degradation of response time for users? Rapid degradation? Immediate crashing?’*^^ 

A few days prior to that email from Mr. Park, Mr. Chao emailed multiple colleagues and stated, 
'"When Todd Park and Marilyn was fsic] here yesterday one of the things Todd conveyed was this fear 
the WH has about hc.gov being unavailable/^^ Mr. Chao followed up with, ''He will come back again 
and ask on 9/30 because after knowing him for the past 3+ years I can tell when he will hang on to 
something for a long time/^^ 

There arc also several emails where Mr. Park requests or is offered briefings on a range of items 
related to the HealthCare.gov website. In one instance, Mr. Chao offers to provide Todd "a walk 
through and demo of the online application in its current form so you can get a chance to peek under 
the covers of hc.gov/^^ In another example, Mr. Park emails Michelle Snyder, then-Chief Operating 
Officer at CMS, and Henry Chao that he "would love (with Steve IVanRoekelJ) to arrange time (1 
hour) in the next week and half to check in on how things are going with respect to Marketplace IT 
dev and testing/^^ In fact, it seems as though CMS briefings to Mr. Park about development of the 
website were fairly commonplace as he indicates in one email to Marilyn Tavenner, "Pm also going to 
visit with Henry and team for one of our evening deep-dive sessions to get up to speed on the latest 
status of IT and testing/^ ’ 

It is difficult to reconcile Mr. Park's statement at the OGR hearing that he did not “have a really 
detailed knowledge base of what actually happened pre-October 1” with emails in the Committee’s 
possession that appear to indicate otherwise. 


** Ibid. {Emphasis added), 

” Email from Henry Chao, Deputy CIO, CMS, to Jon Booth. CMS, et.al (September 25, 201 3) [HHS-0103410] (Emphasis added). 

” Ibid (Emphasis added). 

Email from Henry Chao, Deputy CIO, CMS to Todd Park, U.S. Chief Technology Officer, OSTP, et.al (July 25, 2013) [HHS-0 104905] (Emphasis 
added). 

Email from Todd Park, U.S. Chief Technology Officer, OS'IP, to Michelle Snytlw, Chief Operating Officer, CMS, et.al (June 1 1, 2013) (HHS-0 1063981 
(Emphasis added). 

Email from Todd Park, U.S. Chief Technology Officer, OSTP, to Marilyn Tavenner, Administrator, CMS, etal. (June 26, 2013) (HHS-0 106971] 
(Emphasis added). 
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Agendas and notes from the monthly Steering Committee meetings appear to further demonstrate the 
extent of Mr. Park’s involvement and his role in putting schedule pressure on CMS to go live with the 
HealthCare.gov website on October 1, 2013. For instance, one meeting from May 2012 lists “Integrated 
Critical Path Development” as a discussion topic, and the highlight mentions that ''Todd Park reiterated 
the need for knowing what the critical path deadlines are, to not exceed those deadlines, and engage 
in a very high level of intensity and effort to assure deadlines are met."^^ Another Steering Committee 
meeting agenda from April 2013 states dial Mr. Park "has agreed to facilitate discussions between 
CMS and IRS to get several outstanding issues resolved'"'^^ 

The Committee also identified several emails that seem to contradict claims about Mr. Park not 
being "substantially involved in developing or implementing security measures'’’^^ of the website prior 
to its rollout. For example, in an email from Mr. Park to Mr. Chao and Ms. Snyder: 

"Attempting to integrate logos into the FFMfor October 1 is not advisable. This is not because 
the act of integrating a logo is by itself a difficult thing to do. IPs because the process for 
collecting health plan and product data from carriers via templates, loading these data into the 
HIOS system, validating the data, transferring the data from HIOS into the FFM QHP 
database, and having the rating engine retrieve and render that data in the FFM has been 
locked down, and is being utilized to support plan data collection/validation and system testing 
as we speak. Changing the underlying plan data template and processing routine right now - 
by adding a new plan data element, the logo — during the crunch-time spring we*re in from 
now to October I, would introduce significant risk." ^ 

In April 20 1 3, Mr. Park attended a briefing from McKinsey & Company where the group 
“presented the results of a study it had been commissioned to conduct on the development of the 
federal exchange to the White House, HHS, and CMS officials. McKinsey briefed CMS’s Chief 
Operating Officer, Michelle Snyder, as well as Deputy Assistant to the President for Health Policy 
Jeanne Lambrew and U.S. Chief Technology Officer Todd Park. McKinsey made a list of ‘critical 
risks’ to the svstem, including the risk that a system failure would render the marketplace 
unavailable.” ^ 

The Committee has many questions for Mr. Park as to what he did with information presented in the 
McKinsey briefing, including whether he briefed the President or others in the White House to ensure 
they had all tlie information they needed before deciding to continue the rollout of the HealthCare.gov 
website on October 1, 2013. 

IV. Mr. Park’s OSTP Employment and Role as HealthCare.gov Liaison to the White House 


ACA IT Exchange Steering Committee Meeting Minutes (May 17,2012) [HHS-01 10015] (Emphasis added), 

Marketplace Activities Minutes (April 5, 201 .?) [HHS-0109346] (Emphasis added) 

OSIP letter to SST, November 14, 2013. (Emphasis added). 

Email from Todd Park, U.S. Chief Technology Officer, OSTP, to Michelle Snyder, Chief Operating Officer. CMS, et.al (June 25, 2013) (HHS-0 106973] 
(Emphasis added). 

“Red Flags: How Politics and Poor Management Led to the Meltdown ofHealthCare.gov,” An Inquiry by the Senate Finance Committee Minority Staff 
and the Senate .ludiciary Committee Minority Staff, June 2014, available at; httD.7/ww\v.hatch.scnate.Eov/pubiic/ cachc/file&-'e3fl7336-426b-4363-ad4l- 
086eel20ii2n /HealthCare.gov%20REPORT.Ddf (Emphasis added). 
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When Mr. Park was named the U.S. CTO in March 2012, OSTP Director John Holdren heralded his 
arrival from HHS by highlighting the fact that while at IIIJS, Mr. Park “led the successful execution of 
an array of breakthrough initiatives, including the creation of HealthCare.gov 

Until he stepped down from his position on August 28, 20 1 4, Mr. Park was featured on the 
‘Leadership’ section of the OSTP website, under Director Holdren, where Mr. Park’s biography stated 
that his focus on “technology policy and innovation can advance the future of our nation.”"^^ 

In his written testimony before the Committee on June 20, 2012, OSTP Direetor John Holdren 
explained: 

“OSTP also supports me in mv role as Assistant to the President for Science and 
Technolosv and the U.S. Chief Technology Officer, who sits in OSTP, in our functions 
advisins the President on S&T dimensions of the policy challenges before the Nation, 
including strengthening the economy and creating jobs, improving healthcare and 
education, enhancing the quality of the environment, and advancing national and 
homeland security. 

On five different occasions, OSTP declined the Committee’s invitations for Mr. Park to testify in a 
public hearing. In a Committee hearing on March 26, 2014, Dr. Holdren had the following to say 
regarding Mr. Park: 

“We said his involvement has not been primarily associated with the security of the site. He is 
not a cybersecurity expert, and the responsibility for the security of the site rested with CMS 
and with the interacting activities of CRS, IRS, and the SSA... 

It has been the practice of this Administration from the beginning that assistants to the 
President who are not Senate-confirmed do not testify. We have other people who are experts 
in cyber security who are willing to testify before this Committee on cybersecurity issues. Mr, 
Park is not an expert in the cvbersecuritv aspects of the Healthcare.aov website. And he is a 
direct report to the President of the United States. I can *t compel him to come and testify. He 
doesn t report to me . ' 

At no point during the June 2012 hearing, nor any subsequent hearing, did Dr. Holdren mention 
OSTP’s role or Mr. Park’s role as one of the three White House co-chairs who established the Steering 
Committee that helped to bring “agencies together to facilitate progress on key issues of concern and 
help resolve roadblocks associated with Exchange IT implementation.”'*^ Mr. Park also did not 
mention this when questioned about his involvement with HcalthCare.gov prior to its implementation in 
his Congressional testimony last November. 


Wliite House Blog, 'Todd Park Named New U.S, Chief Technology Officer,” March 9, 2012, availid)!e at: 
http:/7\^'^v^v.whitehouse gov/hlosi/'2012/03''09/todd-t>arl(-named-ncw'»ii.s-chief-technoloES'-officcr . 

OSTP website, Todd Park bio. available at: http://\vww.whitehouse.Bov/adniiiiiaration/eop/ostp/afaout-'lcadcrshipstaf[7park . 

“ SST hearing, “Examining the Priorities and Eflcctivencss of the Nation’s Science Policies," June 20. 2012, available at: 

http://'science,housc.gov.''hc3rina/fiill-commutee-hcafing-examining-pnorittes-and-eflect]veness-nalion%E2%80°/i»99s-scicnce-poiicics. (Emnhasis added). 

SST hearing, “A Review of the President's Fi-scal Year 2015 Budg<^ Request for Science Agencies,” March 26, 2014, available at: 
http://scicnce.house.gov./hearmg/ful]-coiTimiUee-heanng-revicw-Drcsidcnt-s-fiscal-vcar-2015-hudgct-reQucst-scicncc-agcncies . (Emphasis added). 

Email from Keith Fontenot, Wiite House AssiKiate Dircclcw for Health, 0MB, to Todd Park, U.S. Chief Technologv' Officer. OSTP, et.al. (Mark 8, 2013) 
[OSTP ACA 000582] (Emphasis added), 
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However, in various email exchanges, it appears that Mr. Park was intimately involved with the 
planning of the Steering Committee’s meetings and actively participated in them. For example, in an 
email exchange between Bryan Sivak, HIIS Chief Technology Officer, and Mr. Park, Mr, Park mentions 
to Mr. Sivak that they will talk about potential problems with consent through the Privacy Act that Mr. 
Baitman references in an earlier email, and Mr. Park says that he will make sure that Mr. Sivak is invited 
to future Steering Committee meetings.''’ In addition, key points from a November 2012 Steering 
Committee meeting noted that Mr. Park “has been engaged in discussion on NIST Level 2 inter- 
mechanics. ..CMS is moving forward with following this process, which represents SSA’s 
understanding, as well...SSA is interested in understanding the downstream impact on the overall 
integrated testing, as well as the timeline,”'*® 

In his role as U.S, Chief Technology Officer, it appears that Mr, Park was a direct liaison with 
various staff members in the White House as well as the President regarding the development of the 
HealthCare.gov w'ebsite. On July 12, 2013, Mr. Chao emailed multiple CMS staffers and an employee 
from CGI Federal with the subject line, “Need a write up for Todd" and goes on to say, “This is for 
sources material for Todd Park to pick nuggets from in his prep for briefing POTUS next week." A 
month before the website launched, Mr. Park inquired about the possibility of Edward Siskel, then- 
Deputy White House Counsel and Deputy Assistant to the President, joining their call and being able to 
talk afterwards, Mr. Park wrote that, “one point to discuss with him is Frank's very good point that we 
need to walk a fine line publicly - showing we take the risks seriously but also not baiting hackers 
into attacking. 

In addition, Mr. Park helped communicate important cybcrsceurity talking points to White House 
staff, such as when he coordinated with top CMS and HHS staff to put together cybcrsceurity 
background points for Christopher Jennings, then-deputy assistant to the President for health policy.'®' 
Mr. Park also participated in a background call for press in September 2013 “with WH folks only,”^^ 
where he communicated HealthCare.gov cybersecurity points that he drafted. 

V. Conclusion 

It is difficult to reconcile Mr. Park’s own emails relative to HealthCare.gov prior to its launch on 
October 1, 2013 with his testimony before the House Oversight and Government Reform Committee on 
November 14, 2013. The House Science, Space, and Technology Committee made repeated efforts for 
Mr. Park to appear in a public hearing or a transcribed briefing/interview over the course of the past 
year. OSTP has repeatedly blocked these requests. Given the emails provided to Congress by HHS, it 
appears that Mr. Park purposefully and willfully misrepresented his role and responsibilities with the 
Healthcare, gov website, 'fhe Administration has protected Mr. Park, who was a senior White House 


" Email from Bryan Sivak, Chid' Technology Officer, HHS, to Todd Park. U.S. Chief Technology Officer, O.STP. (lanuaiy 7, 2013) tO.STP ACA 000307), 
Meeting Minutes, ACA IT Exchange Steering Committee, November 29 , 2012. {HHS- 01 10501 - HHS -0010504]. 

Email from Henry Chao, Deputy CIO, CMS, to Lakshmt Manambedu, CGI Federal, and ctal, (July 12, 2013) [CGUIR 0016S0O0]. 

Email from Todd Park, U.S. Chief Technology Officer, OSTP, to Tony Trenkle, Chief Information Officer. CMS, et.al. (September 3, 201 3) [HHS- 
0106446] (Empliasis added). 

” Email from Ttxld Park, U.S. Chief Technology Officer, OSIP, to Christopher Jennings. Deputy A-ssistant to the President for Health Policy. Tlie White 
House (September 3. 2013) |HHS-0106447]. 

Email from Todd Park, Chief Technology Officer, OSTP, to Jessica Santillo, et. al. (September 17, 2013) |HHS-0 105403] (Emphasis added). 
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official and part of the Office of Science and Technology Policy, from answering questions before the 
Committee about his role in the development ofHeaithCare.gov. 

For these reasons, the Committee issued a subpoena to compel Mr. Park’s appearance before the 
Oversight Subcommittee on November 19, 2014, one year after the Committee’s first request for him to 
testify, to provide answers about his involvement with HealthCare.gov. 

Beyond the need for public integrity and transparency, it is important to note that the estimated cost 
for the HealthCare.gov website to the American taxpayer is '‘upward of $2 billion.”^^ Yet, a recent U.S. 
Government Accountability Office on HcalthCare.gov noted that, “weaknesses remain both in the 
processes used for managing information security and privacy, as well as the technical implementation 
of IT security controls.”^ Further, in July of this year, “a hacker broke into part of the HealthCare.gov 
insurance enrollment website... and uploaded malicious software.”^^ These are serious ongoing concerns 
more than a year after the website was launched, and as the next open-enrollment period approaches, the 
Administration needs to assure Americans that their personal information is secure on the 
HealthCare.gov website. 


” Atex Wayne, “Obamacare Website Costs Exceed $2 Billion, Study Finds,” Bloomberg (Sept«nber 24, 20 14), available at: 
httD://wwv.blooinbere.corn/news/2014-09-24/ohamacarc-websitc-cosls-cxcccd-2-hillion-studv-rind5 btml 
“HealtliCare.gov - Actions Needed to Addre.ss Weaknesses in Information Security and Privacy Controls.” GAO. September 201 4, available at; 
hctpi/Avw'U'.gao.gov/orcKlucts/G AO- 14-730 

Danny Yadron, “Hacker Breached llealihCare.gov Insurance Site,” Wall Street Journal (September 4, 2014), available at: 
http ;//online.w5j,com/artic]es/hacker-breached-heallhcare-gov-insuiance-sitc- 1409861043 
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Message 

From; Park, Todd [T‘odd_Y_„?arkjQQStp.sop.govJ 

Sent: 8/29/2013 1:39:3S AM 

To; Trcnkie, Tony |CMS/OIS) [/0=HHS KS/OUs^Fjrss AdrrSnistratfve Group/cn=Redp;efit5/crt=tony.trenitle.cms42098l90j 

CC: Saltman, Frank (QS/ASA/Cm:IC) I/0=HHS E£S/0U=EXCHANG£ AOMINISTFIAUVE GROUP 

{FYDfBOHf 23SPDrr)/CN=REaPiENT5/CN=Frank,Baftman.OSj; Snyder. MIchefie (CMS/OA) f/0=HHS EES/OU=First 
Administrative GroKp/cn=Rec!‘p!snts/cr»=Michelfe,Snyder.CMSj; Mfefte, Oawn M. [Dawn ..M.^MielkeiSostp.eop.govi- 
Graubard, Vivian {Viv;an_P_Graubard@c?SKp,eop.gov};J^alid, Aryana C. (CMS/OA) [/C-=HHS EES/OU^Fsrst 
Administrative Group/cn=Redpients/cn=ArYan3 -Khah'd .CMS]; Charest, Kevin {0S/ASA/0C10/Ci5) {/0=HHS 
EES/OUi'First Administrative Group/cnisRecipients/cri=hei7J 
SubjEct: Re: Cyber next steps 


Terrific. Torry. thanks, looking forward to it! 


Todd 


From: Trenkle, Tony (CMS/OtS) [maifi;o;tony.trenkle@cnts.hhs.gov3 
Sent: Wednesday, Augu^ 28, 2013 09:37 PM 
To: Park, Todd 

Cc; Baitman, Frank (05/ASAf'0Q0) <FranlcB3itman@hhs.gov>; Snyder, Michelte (CMS/OA) 
<Mich^!e.SnYder@cms.hh5.gov>; Midke, Dawn M,; Graubard, Vivian; Khalid, Aryarwi C. (CMS/OA) 
<AryanaXhalk}@cms.hh5.gov>; Charest, Kevin (OS/ASA'Oao/OIS) <Kev1n.Charest@hhs.^> 

Subgect: Re: Cyb&r next steps 

i think that we ail can agree on that Todd, the call will foliovy the outline that you laid out In your email and our 
discussion should then drive what we say In the memo. 

On Aug 28, 2013, at 7:58 PM. "Park. Todd" < Todd Y Pafk^osto.eoD.gov> wrote: 

OK, will try to call in for a 10 am Wed meeting and make that work. And Frank, agree with your points about public- 
facing material. 

ThankSi 

Todd 

From: Baitman, Frank (OS/ASVOGQ) fmailtotFr^nk.Baitmanahhs.govl 
Sent: Wednesday, August 2S, 2013 7:2-1 PM 
To: Park, Todd; TrenWe, Tony (CMS/OIS) 

Cc; Snyde", Michelle (CMS/OA); Mielke, Dawn M.; Graubard, Vivian; Khalid, Aryana C. (CMS/OA); Charest, Kevin 
(OS/ASA/OCIO/OIS) 

Subpect: Re; Cyber next steps 

+ Adding Kevin 

Todd et a!, 

Unfortunately the Secretary's Leadership Council is next Wed afterncMin - and believe we’ll have some IT items on the 
agenda, so i need to be there. 


HHS-011C800 
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’ believe we can address our defenses in a balanced manner: it should come as no surprise that we experience attacks 
and have defenses. But, for public facing material, we need to be careful to avoid too many details, and thereby avoid 
providing an instruction manual or worse, a challenge to malcontents to engags. 

- Frank 

From: <P3rk>, Todd < Todd Y Parkg> 05 tp,eoD.eQv > 

Date: Wednesday, August 28, 2013 6:44 PM 

To: "Trenkle, Tony (CVsS/OIS)*‘ < tonv.trenklegicfns.hhs.gov> 

Cc: "Snyder, Michelle fCMS/OA)" < Micheile.Snyder@cms.hhs.gov> , **Mle{ko, Dawn M." 

< Dawn M. Mie!ke@ostD.eop.Eov >. "Graubard, Vlwan" < \^ran P Graubnrd@QstD.eQp.gQv >. Frank Saitman 
<fr ank.battman@hhs.gov> . "Khalid, Aryana C (CMS/OA)** < :Arvana.Kha}ld@crT's.hhs,gov> 

Sub|ect: RE: Cyber next steps 

Tony, great, thank you, looping .Arysna as well. 


Might ft be at all humanly possible to set up the meeting/call to happen between 1 and 4 pm on Wednesday? IN' . at is 
not possible, I tan try to figure something out, but just thought I'd check ©• 

Aryana and ! were also just in a meeting whs^e we got, some additional insight that Is helpful: 

• isupportlistsl-'Xl-iendifl'-^There is a cyber and ACA subcommittee hearing happening cr Septembs! 

11, so it probably makes sense to target putting together a memo by end of next week (and talking with Alex 
Karp by end of next week to help inform the memo - v/ili try to set up time with him for Thursday the 5th) 

• <l-[if lsupportU5t5}*'><!“[endifi**>lt sounds like folks would like the memo to cover (1) our preparation for and 
defenses against cyberaiiack, (2) what would our response/acber, be if an attscic/ertsis happened, and (3) how 
would we prosecute attackers. The roster for the meeting Michelle recomn^enried (to include DHS and also DOJ 
to handle the prosecute part) sourvds spot on. 

• !supportysts|-><3"-[endif]-->Pot6ntfa{lv for incorporation in the memo: external validators who could 
speak to the quality and strength of CMS cyberdefenses, should that become useful. Alex Karp could be one, 
but might, you have others as well? 

The merrfo is again for internal eyes only, but U sounds like people vdll draw (rofn it in appropriate ways for external 
communications purposes a.? well, 

Thanksl 

Todd 

From: Trenkle, Tony (CMS/OIS) fmai toitony.trenkletosJih^a oyl 
Sent: Wednesday, August 28, 2013 5:44 PM 
To: Park, Todd 

Ca Snyder, Michelle (CMS/OA); Misike. Dawn M.; Grautard, Vivian; Baitman, Frank (OS/^A''OCIO) 

Sulgect: RE: Cyber next steps 

Todd, 


HHS-0110801 



435 


We are leaking at setting up a caN/nneetIng for next Wednesday mommg at 10. I just spoke with Frank and that works 
for him. Teresa is already working with Kevin orv pulling information together, I'il ask my scheduler to work with Dawn 
and Viv. 

From: Park, Todd r ma !i tO!Todd Y Parkc^iostD.et^ .oovT 
Sent! Wednesday, August 28, 2013 9:45 AM 
To: Trenkle, Tony (CMS»/OTS) 

Cc: Snyd^, Michelle (CMS/OA); Mieike, Dawn M.; Grauband, Vfvian 
Subject: Cyber next steps 

di Tony, just spoke with Micheile, and she thinks our game plan makes sense, with additions: 

1. <!-[if !suppoftListsl-->c!-[endif]->We should convene a work session In the next week with you, Teresa, Frank 
Baitman, his CISC, and probably a DHS person and DOJ person (she was thinking someone who has experience 
going after cyberattackers), plus any other folks you want to have there - to discuss how to protect the 
Marketplace from cyberattack. This would Indude a discussion of our defenses, the threats, and our responses 
to the threats. ! would absolutely love to be part of as much of this meeting as f can, but also don’t want to be a 
scheduling bottleneck, and it should really happen sooner rather than later - looping Dawn and Vlv to help with 
my schedule. You should go ahead and schedule the meeting, and I will try to be there for as much of it as I 
possibly can! 

2 . !supportListsl-><!-Tendrf]->You/Teresa can then prepare a memo (could be for Michelle, for Marilyn, for 
others -we'l! figure that out) that basically outlines the protection strategy, including threat assessment and 
response strategy. This will be a memo that we pass on to WH leadership as well, fyi - for internal use only. 

3. <!-(lf !supportList3]--><!-{enc‘ffl->l vrillalso reachout to Alex karp today to let him know that we would love to 
speak with him about cyber and the Marketplace - we should do a confidential, cone of silence consult with him 
after we've had our meeting as per item 1, not before; Til set this up at the appropriate moment. 

Does this sound cool to you? 

ThanksI 

Todd 


HHS-0110S02 
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Message 

From; Park, Todd [Todd_Y_Park@ostp-eop.gavj 

Sent: 8/2S/2013 10;44;53 PM 

To: Trenk!e,Tony (CMS/OfS) [/0=HHS E£SA)U«Rrst Administrative 6rDup/cn=Rccipiente/cn=tony.trenide.cms4Z093190] 

CC; Snyder, MicheiSo (CMS/OA) [/0=HHS EES/OU=Br5t Administrative Group/cn=R8dpfencs/cn=M!cheile.Snvder,CMSf; 

MielJce, Dawn M. fD3wn_M._MiGike@ostp.eop.gov]; Graabard, Vivian iVlvi3n_P_Graubard@oSLp.eop.gov]; Baltrran, 
Frank {05/ASA/0C1D) l/0=HHS EES/DU=EXCHANGE ADMINfSTTlATIVE GROUP 

(FYDIDOHF23SPDL'n/CN=REapiENT5/CN»=Frank.BaimaivOSL- Xhalid, Aryana C. (CMS/OA) 1/0=HHS EES/0U=Fr5t 
Administrative Group/cn=^Recpients/cn=ArYr3na .lAalid .CWSj 
Object: RE; Cyber next steps 


Tony, great, thank you, looping Aryana as well. 

Might it be at all humanly possible to set op the rr.eetlng/cali to happen between 1 and 4 pm on Wednesday? if that is 
not possible, I can try to figure something out, but just thou^t I'd check <S> 

Aryana and i were also just in a meeting where we got some additional insight that Is helpful; 

• There is a cyber and ACA subcommittee hearing happenir® on September 11, so it probably makes sense to 
target putting together a memo by end of next week (and talking with Alex Karp by end of next week to help 
inform the memo - will try* to set up bme with him for Thursday the 5th) 

• It sounds like folks would like the memo to cover (1) our preparation for and defenses against cyberattack, (2} 
what would our response/artion be if an attack/crisis happened, and (3) how would we prosecute 
attackers. Tbs roster for the meeting Michelle recommended (to Include DUS and also DOJ to ha.ndlsthe 
prosecute pert) sounds spot on. 

• Potentlallv for Incorporation in the memo; external validators who could speak tc the quality and strength of 
CMS cyberdefenses, should that become useful. Alex Karp could be one, but might you have others as well? 

The memo is again for internal eyes only, but It sounds like people will draw from it in appropriate ways for external 
communications purposes as wel'. 

Thanks! 

Todd 

From: Trenkle, Tony (CMS/OIS) [mai!tD:tonv.trenkIe^ms.hhs.gov] 

Sent; Wednesday, August 28, 2013 5:44 PM 
To: Park, Todd 

Cc: Snyder, Michdte (CMS.'^OA); Mielke, Dawn M,; Graubard, Vivian; Baitman, Frank (OS/ASA/OCIO) 

Subject: RE; Cyber next steps 

Todd, 

We are looking nt setting up a cal!/meet»ngfor next Wednesday morning at 10. I just spoke with Frank and that works 
for him, Teresa is alrsady working with Kevin on pulling information together. 1'!! ask my scheduler to work with Dawn 
and Vtv. 

Sent: Wednesday, August 28, 2013 9:45 
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2. VVe had already induded the SANS award Into the intemaf memo, however, we are expanding the explanation 
about the CMS continuous monitoring capabilities and how they have now been expanded to the marketplace 
systems. 

3. Yes. Teresa and Mike will Join the Paiantir call, 

FrcMTt; Park, Todd f maiitotTodd Y p3rk(S>oaD.eoa.Qov] 

Sent: Wednesday, September 04, 2013 12:33 PM 
To: Trenkie, Tony (CMS/OIS) 

Cc: Baitman, Frank (OS/ASA,^OCIO); Tavertner, Marilyn (CMS,W); Khalid, Aryana C. (CMS/OA); Snyder, Michelle 
(CMS/OA); Fryer, Teresa M. (CMS/OIS); Me!!or, Michael (CMS/OIS): Charest, Kevin (OS/ASA/OCIO/OE) 

Subject: Re: Follow up to this morning's call 

Tony, great job to you, Frank and team on the cal} - It was very productive and helpful. Your next steps sound exactly 
right- Three additional questions/notes; 

1. What is the best and rr?ost efficient way to prep and utilize MITRE as an external validator? Would it be to give them a 
copy of the internal memo, under cone of titanium silence, and ask them to be ready to speak to external folks before or 
after the hearirig about the genera! soundness of the appro<-M:h CMS is taking? Would it be appropriate to touch base 
With them this week about serv'ing os an external validator, so we can confirm, that they are. witling to do this? 


2. Thougitts on integrating a couple of sentences about the external av/ard CMS received for its monitoring work into 
either the internal memo or the external Q and A? 

3 . On the Paiantir call, my thought Is to ask them to assume the role of a general cyber sounding beard, ask them what 
they would be most worried about if they were us, and how they would think about defense/mitigation. Sound OK? And 
will you and Frank have your CiSO team join? 

Thanks so much! 

Todd 


From: Trenkie, Tony (CMS/OIS) [ 

Sent: Wednesday, September 04, 2013 11;59 AM 
To: Park, Todd 

Cc: Baitman, Frank (OS/ASA/OCIO) <Er?iLltBaitm3n@hfs^>; Tavenner, Marilyn (CMS/OA) 
< Marilvn.Tavenner@cms.hhs.aov >: Khalid, Aryana C. (CMS/OA) < Arvana.Khalid@cms.hhs.QOV >: Snyder, Micheite 
(<:Mi/OA) < Michejte.Snvder@c:ms.hhs.QOv > : Fryer, Teresa M. (CMS/OIS) < Tefesa. Frvertacm5.h hs.qov > : Meilor, Michael 
(CMS/OIS) < Michagi,Mellor(Scms.hh5.aQv >; Charest, Kexnn (OS/ASA'OC10/OI5) < Kevin.Charest@hhs.qgy >: Trenkie, 
Tony (CMS/OIS) < tDnv,trenkle®cms.hhs.oov > 

Subject; Follow up to this morning’s call 


Todd, 


I thought the call went well and hopefully it responded to Ed Stskel's concerns as well as yours. Here is a summary of 
next steps, i am also copying Michelle and Marilyn to keep them informed. 
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1. CMS will prepare an internal memo that discusses our security marketplace security preparations and 
operational plan of action. The memo will focus on the following areas in some detail, but will not discuss 
specific product names: 

a. Preparations for and defensesagainstcyber-attack-this will discuss specific marketplace work as well as 
the overall CMS IT security infrastructure 

b. Response/actions in the event of an attack/crisis-Also will discuss marketplace specific and how that ties 
into our current response planning. 

c. Coordination with the HHS IG on potenb’af prosecutions-This will only focus on our initial handoFf to the 
iG, not what occurs after that. 

Frank and Kevin wilt add detail on how HHS provides additional overall support. The memo will be distributed to a 
limited internal Government audience, to be coordinated through you. We discussed that one way of sending the 
memo would be to address it from me to Frank. A draft of the memo Is being developed and will need to be vetted with 
Michelle and Marilyn. I assume that Frank will handle any Departmental communications with assistance from us as 
needed. We will attempt to have the memo available by COB Friday, depending on clearance. 

2. On a separate but related track, we will work with Frank to develop generic Q&As that could be made 
public. These will not address specifics of CMS internal security infrastructure but would focus on overall 
government security measures, that the Marketplace would adhere to. These could potentially be given to 
minority House members before the 9/11 hearing. We are sensitive to the fact that these Q&As be kept generic 
and not draw hackers' attention. We will also try to have these done by the end of the week. 

3. We agreed that for external validation. Mitre would be the most logical choice, given their long-track record of 
working with multiple Federal agencies and their overall knowledge of the IT security industry, including private 
sector security measures. We agreed that other external organizations would not have the depth of business 
and technical knowledge to provide a good validation v/ithout diverting CMS resources needed to finish the 
testing. 

4. We will speak with the Paiantir folks today at 4 but will keep the discussion high-level, recognizing that they are 
not an appropriate choice to be an exterrval validator. 

Others, please add if ! have missed anything. 

Tony 


HHS-0106530 



439 


Appointment 

From; Laura _£ Lvnch@omb, eop.gov (Laur 3 _E_Lynch@ 0 n 1 b.e 0 p. 60 v] 

Sent: 8/21/2012 9:35:19 PM 

To: VanRoeke[, Steven [Steven_L_VanRoekel@omb,eop^govJ; Callaghan, Liz M. (OS/ASA/OaO); Martin, Kathryn; Tran- 

Lam, Minh-Hai; Bales, Carol A.; Pie-FHakon, ^isa; Reczek, Jeff;Trenkle, Tony (CMS/OIS); Chao, Henry (CMS/OIS); 
'jeremy.grant@nist.gov'; ‘deborah.gallaEher@gsa.60v‘; Lynch, Laura; Lefkovitz, Naomi B. fnaom!-!efkovitz@nist,gov); 
Wtih'ams, Sonji (CMS/OIS); Schlosser, Lisa; Fontenot, Keith J.; Park, Todd; Baitman, Frank (0S/ASA/0C!0); Overstreet, 
Tyler J.; Mostashari, Farzad (HHS/ONC); Rice, M. David; Pritts, Joy (HHS/ONC); Welling, Erum; Zhen, Changqing 

Subject: Copy; ACA NSTiC Meeting 

Location; Eisenhower Room. WHCC 

Start; 8/31/2012 2:30:00 PM 

End: ' 8/31/2012 3:30:00 PM 

Show Time As; Busy 


All - please find the deck for this meeting attached. Thanks, Laura 


This is a technical briefing with CMS for an update on their identity management work for the ACA Exchanges. With the 
meeting taking place in the White House Conference Center, no waves is needed. 
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Af^ointment 

Park. Todd rrodd_Y_P3rk@iost{>,tiQp.govj 
6/W/2Cl3 259:ia PM 

Park. Todd [Todd__Y_Parlc@ostp.eop.gov]; Snyder^ Mfchelle (CMS/OA); Oiao, I tenry (CMS/OIS); VanRoekcl, Stevert; 
UTtch, Laura; Tran-lam, Minh4fai; Ple-Pfakon^ ARsa; Sfv^, Br/an (HHS/lOSj; Baitman, Frank (OS/ASA/OOOj; Kendali, 
Oamaris (HHS/D5); Ar.Ttstead, A'ldrea E.[CMS/iOA];Setn, Soarman M, (CMS/OA); Reczek, iefft Overstreet, Tyler J.; 
Martin, Kathryn; Winiams:, Ciaudia; SeWosser, lisa 

Subject: Copy; ACA Sync-up 

Locallon: 

Start: 6/2fe/2013 ZrOOKW PM 

End: 6/26/2013 3:00:00 PM 

Show Time As; Busy 


From: 

Sent: 

To: 


From: Park, Todd 

Sent: TuEsday, June 11, 2013 07:S2 PM 
< henrv.d\ao[^cms.hhs.oov > 

Cc : rriar ijyn.t3 venner#rTn5:.hhs-ac>v < nranly n . tavenner(5fems .h hs ■QO V> : VanRoekei, Steven; Grsubard, Vivian; Lynch, 
Laura 

Sutgect: Sync-up 

H} Michelle and Henry, hope ail ts terrific with you! 

As you've heard from Marilyn, would love (with Steve) to arrange time {1 hour) in the next week or week and half to 
check in on how things are going with respect to Marketplace IT dev and testing. (And also to discuss Che tsctica! 
question of Issiier logos). Would iove to arrange a visit to Bal^more, but ^ ven how crary schedules ore. Tm guessing 
that a videoconference or conference call would be more feasible. 

We don't need anyspedal documentation or whatnot Just^u© If you have somet.ning that you've already put 
together for another purpose that you’d like to send, great. 

May Vivian and Laura work with your office to set up a Umc to chat? 

Cheers, 

Todd 
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Message 

SaiCman, Frank (G5/ASA/DCiO) i/O-HHS EES/OU^XCHANGEAOMfMSTRATiVE GROUP 
fryD!EJOHF23SPC^r)/CN-=^REClP!CNTS/CN=FRAf«K.SArrMAK.Q5j 
4/12/2013 3:14:35 PM 
Park, Todd [Todd_Y_Park@&stp.eop.gov} 

FW: Meeting widi tne National Security Staff and OMB 
imaBeO02.jpg 

Todd, here's the note from Michael Daniel. 

Would you want to follow up with him to get more details on the objective of the meeting? Tony and I chatted about it 
this morni ng, and we're concerned that there’ll be a push to make ACA identity' proofing NSTIC compatible from the 
start: that's definitely on our roadmap, but as wg discussed, that needs to be v.2. (In fact, that point has been made at 
previous WH meetings.} 

Thanks, 

- Frank 


From; 

Sent; 

To; 

Subject: 

Attachments; 


From: Caddy, Cheri r maiftoiChervlene G CadcK'canss.eop.qov I 

Sent: Thursday, April 11, 2013 6:03 PM 

To: Holland, Ned (HHS/ASA);Trenide, Tony (CMS/015) 

Cd; Daniel, 3. Michael; Oment, Andy; 3efernv.G3Mt@ntet.Qov: Leftovitr, Naomi B. ( n aonii ■ tefkDN'it7@nist.qov> : 

VanRoeke], Steven; Daviin.Jesaca 

Subject: Meetir^ with the National Security Staff and OM8 


Mr Holland and Mr Trenkle, 

Michael Daniel would like to meet with you on 23 April at 3pm at the White House to discuss CMS plans for user 
credentialing and identity proofing in its irrspiernentatjon of the Affordable Care Act. Could you please confirm your 
avaiiabiilty for this time, or provide a scheduling POC whom ws can work with? 


Thanks for your help, 

Cksri CatWy 


Director for Cyljer Policy Integration and Outreach 
National Security Staf f 
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Executive Office of the President 
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‘Srhery': .Cainpbe) 
■rich.Ettrtina 


' Hefcant . Shs.ms| 
ch . Bartl rtl 


•rHeni-'St.Sharr 
; vai), Htifig B. CO^/GI?7” 


1 be'Hewt Htreait & cci reeds co adds'ess those questions based OB rbe Perforrsanct testing run last right. 

\A'l' be continue tc test twJay, ta&orrow & bi^nd aetril « reach st least lOfc concurrent users, ard 
evgntti^l'y SOfe. Sr- far, only revered xlie Indlviduiil at>p1it?T.ien in PSt, and today !«»e''ri ee focusine on 
scripting Plan resi-lts. Plan compare, and eerolltsietts. aIm es’ll be performance testing FFM-eidm 
integration today. 


— . — origTna! hessaga 

From: Chqp, Henry CC?-*S/ 0 I 5 ) 

Sent: Sunday, September 29, 2Ci3 S:43 AM 
To: T'fiurston, Robert ^ . 

'george.schltidiejJ|||||||M ‘Cheryl .caiapbi 

’rith.!n3rtinMH||H van, wung B. 

subject: Pw; i?>5Si5^c^point5 


>cr 29, 2Ci3 S:43 AM 

5.<?^S/CTRj; Zanan, Akhtar CQ< S/D2S3; oat erbHdge, Venigue i’vMS/ QIS’j; 
van, wung B. 


These arp toiid's questions. 


Henry Chao 

deputy chief inforoati' 
& Medicaid Services 
7500 Security Blvd 
Saltisiore, no 212*^ 



officer and Deputy Cirt'CCor office ef inforiaation Services Certers fop Medica’-e 


Original Message 

Fro*: Park, Tedd raiailcorTodd_Y_Parkek9stp.ePp.gov] 
Sent: Sunday. Sspteabcr 29, 2013 OS:23 AN 
Tc; chan, C'enry {cstS/OIS) 
ty.1 Snyder, Michelle (CMS/OAi 
subject; Risciission points 


’rii hunry, ci-aJ.nel ing ny ieme! Hiviiell*, a f«*» uuestiank fall «r which I tiriiil. >tiK ur I liAve ricatad at 

spas point), ctrhaps i^r discussion at tha 9 a-nt e." later today; 

— Has rhfe teiB ran perfonKnce/diagnostlc testirg on the whole mi, so that « know rtiat the Msrklcglc 
beCtleneck is in feet the critical, rate-liBiting cue, as apposed to another bottleneck in, say, flar, 
Ccgpare or elsev/here, that could also constrait? the naaber of conarreni user*? 


-- In other words, doss the perlbroiArtCK tesving the tes» i» doing make ycu fonfidBnv that the rrw across 
the board can Indetd take 16,000 concurrent users, rising to 50. 000-/0,000 with the rew hardware? - So 
Tar we wer-e cible lu run 2000 cuncursmnl users 'n Iv 


— Are we going to run perfarmance testing today and toiiK»“rCT* on the grcefing agoregste collection of 
hardware Cnot just cne unit of it), so we validate the projectiwts cf ie.C09/eO,9CO-7c?,oOO with the 
actual ppoductitMi machinaPi'7 

— Are, w« twjsfting to make sure that iecoring trafUc gees properly load balanced across the VMS, /units? 
CThls siay be accomplished by the previous ire*) 

-* htvat happens after the 36,000/£Ci.OOC-7C,050 threshold Is reached? is thei'e g’-adual rieoradaticn of 
response tine fo" users? P.apid d“C''ad3tionV ii«d*.are crashing? 

htessive kudos again for the incredible progress the tea* Is aakinj! 

T^is electronic nail (ineltiding wy Artachmants) «y contain infomation that is privilegec, 
canfidcfiticl , and/or otherwise protected frtw disclosure to 6rs>»onc ottior than its intended red picrTt(s3 . 
Any disserinatlon or use ef thii electronic eeail or its contants Cinclvding any attachB*nts> by' person* 
other than th* t:'rtend«d f ecipientCs) Is i-trictly prohibited, if you ha’ve received this tressaes 1r ' error, 
pleas* norify COa sender by reply ersall and delete Che origlrul message (Including any ortach.-ner.ts) in 

" Its entirety. 


Confidential and Proprista,^ Business Records 
Produced Pursuant to House Rules VIK3)(b)(2) & (3)(b)(4) 
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Message 

From: 

Sentr 

To; 


CC; 


Subject: 


Chao, Henri^CMS/OtS) [/C=4HHSEES/QU=FSRSTADM!NISTBAllVe GROUP/CN=KEaP|ENTS/CK-4HEN'RY.CHAO-,OS] 
S/2S/3C13 8:53:00 PM 

Booth, ior-- C. fCMS/OC) (/O^KHS £CS/OlK:f:-rst Admiakstrative 6roup/cn=sRedpienls/cn~ion.booth.cmsa9225837|; 
Patel, Keran (CMS/OC) [/0=HHS tES/OU»F}rst Administrative GrQup/cn=Redptsnts/cTia‘<2Tan,aarei.cmsl290Z3611; 
Unares, George E. (CMS/DtS) (/0=»HHS EES/OU=First Admlnfetrative 

Gmup/cn-ReCfpients/cn"georfe.Mf>ares.crTiS3644-14811; Skjnne*, Dennis R. (CMS/015) l,^0“HH5 ECS/DU-Rrst 
Administrative Croup/cn=Fledpffents/cnKden.’i)s,sktnner.crns96729034jj Royle, Erick B. (CWS/OIS) i/0»HHS 
EE5/OU=Fir5t Admir^i5tratfVCG:’Oup/cn®RecifMents/cn=erid(.ro¥te.cm£S8397?02); Sharma, Hernant {CGI Federal) 
(HcmantSh.srmalllllllllllllllllllll^ (Hemant.Sh3rnia^||||g|||PI||||^^ Keith Rubin li^^'th.P.ubh^lBllfllPIIIIII^ 
Margijsh, Doug C (CMS/OiS) L'O^HS E£S/oU>^Rrst Administrative 
Group/crt-Recbie.nt£/cn=doug.margushxms3434942l]; KaritonKim 
Schankwfc’isr, Thomas W, (CMS/0!S} {/O-HHS EC5/OU*=F!r« Administrative 
Group/cn=Redpienks/cn~Therrias.Schankvk'eiie:.PSC| 

Outerbridge, Mcnique (CMS/OiS) [/0=KHS EES/OU=First Adminfetrative 

Group/cn=f?eclDier{ts/cn«Mon!que,OutErbndge.OS1; Kasiton Kim iKkUr-HjHHmimP; Rich Martin 
{Rich.Marth4||g^gPm (Fibb.M3rtln§|g|gB|g||gi Oh, Mark U. {CMS/OIS} j/0=HHS EES/OU=EXCKANGE 
ADMlNiSTRATIVE GROUP (FYDlBOKF13SPCLT)/a«J=REap!ENTS/Ct4=Maic,Oh,OSj; Thurston, Robert (Ow*S/aR) 
[/0=HHS £ES/QU=First Adrrtnistrativs 6ro»p/cn=Reciaients/cn=^obert.Thur5ton,CMS|; U,m, Peter (CMS/CTR} 
[/■0=+IHS EES/OU=EXCHANG£ ADMINISTRATIVE GROUP 

(FyDiDOHF23SPDLT)/CN^R£CiPfENTS/CN=Peter.Ufnl.CMSi®ees.hhs.gov57f|;Radciiffe, Glenn 0.(CMS/Oi5)I/03=HH5 
rES/OL’=EXCHANGE ADM-INfSTRATiVE GROUP {FVDIBOHF23S?D;.T}/CN=REClPiENTS/CN=Gicrrn.Radci!ff.CSl; Sharma, 
Hemant |CGI FedemI) {Hcmant.Sh3rma|m0|Bm|||^ [HemantSharm,a|||||g||||ggPI|^^ Keith Rubin 
IKcith.Rubingimi^IgBMIli; (CMS,701S) 5/0=HHS CES/OU=EXCHANSE ADMINISTRATIVE GROUP 

{FYDlBOHF23SPinT)/CN-REaP!rNTS/CN=Todd.Cojtsl.CMS@ee$.hhs.gov33a}; Basavaraju, Venkat {CM5/0!5) 
i/OsHEiS EES/OU=F!rst Administrative Gro'jp/cn«Recipients/cn»Venkat.B£5avaraiu .CMS); Dri5Co!i,Ad3m {CMS/OiS) 
l/O^HHS [-ES/CUaFirst Administrative Sroup/cn*-Recipients/cn='Adam Drtscoli.CMS); Berkley, Katrina (CMS/OIS) 
i/O-HHS EES/OU'^Firsl Administrative G-oup/cn=Recip;eRts/cn=katfina,i2yng.cmsS61S7767); Trenkie, Tony 
{CMS/OlSj {/0=KHS £ES/OU»First Administrative Groijp/cn=R«-JpP‘riT,s/m=rony,trenkle.rmi42098130]; Carxr, Cathy 
T. (CMS/OfS),[/'C3=HH5 EE5/OlI=Fifst Administrative Groi;p/cn»Reclpients/cn=rathv.canBr.cms729241491; Gass, 
Carole F. (CMS/OIS) l/0»HHS £ES/CU=Rrst Administrative Group/cn=Ret:p:ents/cn=carDie.gass.ctTisRBB6gSll}; 
Hogie, Mark P. (CMS/OIS) :/0-HHS EES/OU^First Administrative 

GrDup/cn»R«'.'pitjnts/cn«rnark.hogre.cms6i7812453; Peel, Nydia M. (OMS/OIS) [/0«HHS E£5/OUaFirst 

Admbistratfve Group/cn=’Peapier>ts/cn=nydia.pee!.CTnsA9357865'*; Walter, Stephen 1. (CMS/OIS) I/O^hlHS 
EES/OUaFirst Administrative Group/cn=Rec>pients/!:n«stephcn.weiter.cms3848?S761; Margush, Doug C. (CMS/OIS) 
{/0=HH S £ES/OU=First Admlnislrative Group/cn-Rccipients/cn=doug.margu5h.ems3<349421}; Stevenson, Corey B. 
(CMS/OtS) [/0»HHS EES/OUsPirst Administrative Group/cn=’ftecipients/cn=carey.5teven5Ori,cm58940J8?S]; Gray. 
Edward M. (CMS/OtS) [/Oi^HHS E£S/OU=first Administrative G'OLip/cn=ifieciplents/cn»edw»rd.gray.cms049S0aM3; 
Plaugher, Mark i. (CMS/CIS) r/0>*HHS eES/OU=EXCHANG£ ADKIINiSTRA-HVE GROUP 
(FyDtBOHf23SPDLT}/CN=R£CiPIENTS/CN=Mark.Pla'4gherl.CMS'.; Skinner, Dennis R. (CMS/OIS) !/0=HHS 
EES/OU»First Administrative Srouo/cn^eclp!etits/cn«dennis.synner.cms9fi729034l; Ro/ie, Erick B. (CMS/OlS) 
[/C=MHS EES/'OU^First Administrative Group/cn=Rec;pients/cn=erkk.royt8.cms5B3972023; Fletcher, John A. 
(CMS/OiS) t/O'hHS EES/OU=first Administrative Group/cn=Recipjents/cn=jofih.f.elcher,cms5S745823]; Trudel, 
Karen (CMS/OIS) {,''0=HHS E£S/OU“First Administrative Group/cn^edp:enrs/crj=karen.trudefLcrr;s6437236Sl 
RE; CGi Dcpiovment Nottfication - £&.ETE5T2Tuesdav\Wednesd3y September Z4\25 R7.D.0.9.1Q Build 279 


Importance; High 


Jon, Ketarj, 5 r^d Georgs— When Todd Padt and Marilyn was here yesterday one o? the things Todd conveyed was this 
fear rhe'WK has about hc.gov being unavailable, I explained about the Akanai piece and the split between learn and get 
insured sides sc he v/as satisfied for the moment. He v4ll come back again and ask on 9/30 because after knowing hhrv 
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for th^ past 3+ y^ars I car, tdi when he wHf hang on to somettiing for a long dme. Todd does have a gcfcd point and I 
^ink we s’nooid hfive e more comprehensive answer as to how we will ensure iiigh avaiiat>!!ity. I think this discussion 
tndudes the shared services as welt 

George— can I ask you to lead a discussion on HA across the board with ensuring we have everything aligned with the 
demand for 99.99% uptime on HC.gov (or at least the learn «de as 3 tTHninum, includirig Spijnish leam) and all oF the 
dependencies with Secur iti<, Akamai, TMRK Internet facing bandwidth and redundancies, security early warning and 
monitoring, Shared Services, and CGi, QSSi, and CAG aperations. Todd is conducting cutover reviews and some of that is 
complernentary to a HA plan. 

Dennis and Erick— would you please document this and capture the ops sspeci of HA and eKecuUon of monitorir^ to 
ensure all the dependencies have sariy warning monitoring of degradation and/or signs where we have to take die site 
down and/or bounrc the sers^rs? Piease put it in to an ops document format Ifks an SOP and do the necessary changes 
Tfeeded for the monitoring tools. Perhaps Yousaf non as&st here, 

Jon and Ketan—con you think about a better way to convey to the public when ihe site is not available? i am picturing 
rn my mind ail the major pnnt and online pubiicstions taking screenshots of what is beiovj and Just ramping up the 
hyperbofc about hcgov not functlone!. 

let me knew if you have questions. 


Thanks 


Henry Chao 

Deputy' 00 a Deputy Director, 
Office of Information Services 


Centers for Medicare & Medicaid Services 


Ffcmh: ManlkNaik [rrtallto;mnaiklSHH|||P] 

Sent: Wednesday,^ SeptEmber 2S, 2013 3;04 PM 

To: Bsrtolotta, Larty (CGI Federal); Van, Hung S. (CMS/OIS); Shannon, Andrew (CGI Federal); Margush, Doug C. 
(CMS/OIS): Kutsitev, Lubo (CGI Federal); fteidecker. Be* (CQ Fede.’^O; O'Mara, Katyamie J (CGI Federal); Oh, Mark U, 
(CM5/01S): Dili Waiter (CHS/OIS): Oonohoe, Paul X. (CM5/0IS); Carter, Cfreryl < (CGI Federal); Oeepak Bhatta; Walker, 
Benjamin L. (CMS/CCHO); 2aman, Akhtar (CMS/OtS); Winthrop, Monica (CGI Federal); Martin, Rich (CGI Federal); Chao, 
Bing (CMS/OIS); lagadish Gangahanumaiah; Karlton Kim; Maenner, Kristwe S. (CM^/OEM); Miller, Daniel J. (O1S/0IS); 
Shao, Ujur^ (CMS/CPI) 

Cc James, Brian M, (CHS/CCHO); Thompson, Tyrone (OtS/OIS); Water, Stephen ). (CMS/OIS); Shropshire, Richard 
(CMS/CCIIO); Cummings, Duane (CGI Federal); Thurston, Robert (CM$/CTR); De Meura, J^e (CGI 

Federal); FFM-Build Deptayrr^t; Calem, Mark (CGI Federal); Sharma, Hemant fCGI Federal); Hatkedis, John (CGI 
Federal); Kodavakim, Radha (CGI Federal); Scxjsa, Steven (CGI Fede^l); Banerjiee, Dharrtri (CGI Federal); 
1bjcmes(||||gPlgP|^ PradeepJain; Panksj Shekhawat; Dinakaran, Sai (CGC Federal); Sean McHale; Devkmandan SaM; 
Chao, Henry (CMS,'OIS); Outefbrldge, Monique (CMS/OIS) 

Subject: RE: CGI Deployment Notification - Si£ TEFTZ Tuesday\Wedne5day September 24\25 R7.0.0.9.10 Buiid 179 
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Sent from my BlackBerry Wireless Device 


— Original Message — 

From: Park, Todd } mai i to:Todd Y Park@ostp.eop.gov] 

Sent: Tuesday, July 30, 2013 09:43 PM 
To: Chao, Henry {CMS/0 IS) 

Cc; Snyder, Michelle (CMS/OA) 

Subject; RE: Walk through of the online application in hc.gov 

Hi Henry and Michelle, just circling back on the below, to see what 
general date range you think might make sense for this visit - would 
ne)ct week work? Just need to have a bit of advance time to line up 
Julian and David's schedules (and I'm out the week of August 12-16). 

Also: if you want to cut down on the time of the visit, ratcheting it 
down to something more like 6D-90 minutes, or modify the agenda in any 
way, just let me know.... 

Thoughts? Thanks! 

Todd 

— Original Message — 

From: Park, Todd 

Sent: Thursday, July 2S, 2013 3:01 PM 
To: ' henry.chaogpcms.hhs.eov ' 

Cc: ‘ Micheile.5nvder@cms.hhs.gov * 

Subject; Re; Walk through of the online application in hc.^oy 

Hi Henry, thanks so much! To provide more context, as I shared with 
Michelle, i'l! be bringing David Simas and Julian Harris {Keith 
Fontenot’s successor, newly arrived) with me. Would love to (1) walk 
through the current live online workflow (ideally from the start of the 
application through Plan Compare and selection) and (2) provide the 
opportunity for Julian to get the latest update on (a) IT dev, (b) 
testing, and (c) operational prep. 

For (2), Julian is interested in one level of detail below the POTUS 
presentation. I would not prepare any custom materials whatsoever for 
the meeting, but it would be great to show him (a) the slide you showed 
me with all of the FT modutes/complelion dates, (b) the testing summary 
for fed agendes, states, issuers you wrote up recently {I think for 
someone's testimony), or similar m.ateria!, and (c) a slide (if you have 
it) of key operationalization steps {high level) on the road to Oct 1 and 
Dec 1 (e.g., contract X let, center X live, etc.). 
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Both: Julian and David took great pains to ask that the «sit not be 
disruptive to v^ur work -- ! think that the message to y’all the 
space to rock and roil is spreading :) 

So I'm thinking a focused two-hour visit, in Baltimore going thru the 
jive workflow, and using high-level materials you already have. 

Would next v/cek be best, or would the week after be better, or would 
either week be fine? 1 haven't yet pinged David and Julian fbr their 
availability, but wanted to see what was optimal for you first, ft would 
be good to combine both cf their visits, to save you time. Thoughts or 
timing? 

Wichelie, it would be terrific for you to join — would be great for you 
to meet Julian and David, both of whom are terrihc; and Tve told both 
of them that you and Henry are pure awesomsness ;) 

Thanks! 

Todd 


Original Message 

FrcfVi: CIvao, Reiiry ICM5/OiSn fnaih.Q:henfv.cha6iS>cm.5.hhs guvl 
Sent: Thursday, July aS, 2013 09:53 AM 
To: Park, Todd 

Cc: Oh, Mark U. (CMS/O'S) < m3rk.ohg?ems.hhs.aov> ; Couts, TofJd (CMS/OIS) 
< TDdd.Cout5ligcms.hhs.gov >: Outerbndge, Moniqus (CMS/OIS) 
< monlque.oijterbfidee@cnis.hh5.p.o v>: Grothe, Kirk A. (CMS/OIS) 
< kirk.grothe<E>cm5.hhs.BOV> : fierklpy, Katrina \CMS/'OtS) 
<katn n a .b erk:lev@cms.hhs.ep v>: Rhones, Rhonda D. (CMS/OB) 
<Rh o n da.Rhones@cms.hhs.gov >: Graubard. Vivian; 


' rich.martii 
' chert>1.cafT.Dbe{{ 
' LakshmLManambedui 
•Marl cCalem 
’ Paui.Weiss< 


i < nch.maftinl 

< chefvl.camobe(l i^ 

( <Ukshmi,Ma i.| 

P‘ <Mark,Calgmi 

|| <f^(^Wefss;^||||||||[|||||^^ Wallao;, Mary H. 
(CMS/OC) < M3fV-Wallace#cms.hhs.gov> : Booth, Jon G. (CMS/OC) 
< Jon.&oo th i3iefns.hhs.eo v> 

Subject: Walk through of the online application in hc.zov 



Todd, 


If you recall we had agreed to provide you a walk throi^h and demo of the 
online application in its current form sc ycu can get a ctiance to peek 
under the covers of hc,gc.y. 
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Michelle mentioned you owitarted her about this and that I ^ould 
foliow-up with you to schedule the walk through. 

Katrina can work with Vivian to find a window of opportunity next week if 
you agree. 

let us know. 

Thanks. 

Heriry Chao 

Deputy Chief Information Officer and Oeputy Director Office of 
fnformatiort Scr\'»ces Centers for Medicare & Medicaid Services 
7SOO Security 8!vd 
Baltirnorc, MD 21244 
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Message 

From: Tavenner, Marilyn (CMS/OA| l/C^HHS EES/OU=FIR5T AOMrNfSTRATIVE 

GROUP/CN=RECIPiENT5/CN=MARILYN.TAVENNER.aMS] 

Sent; 6/26/201.3 9:55:47 PM 

To: 'Todd_Y_Pa'l<@>ostp.eop.gov' [Todd_Y_Park@ostp.eop.gov}; Snyder Micheiie (CMS/CA) [/0=HHS EE5/OU=Hrst 

Administrative Group/cn=^ftedpients/cn=Mlche51e.Snyder.CMSj; Chao, Henry (CMS/OISj l/0=HHS EE5/OU=Fir5t 
Administrative Group/cn^Redpients/cn^Henry.Chao.OSJ 

CC; Khaiid, Aryana C. (CMS/OA) {/C=HHS EES/OU®Fi?^ Adirsinis^ttve Group/cn®Recipients/cn=Arvana .Kha.’id .CMS! 

Subject: Re; Fo(bw-up 

Thsnks Todd. Appreciate the help as alwaysH!! 

From; Park, Todd [maifto:Todd_Y_Park@ostp.eop.gov] 

Sent: Wednesday, June 26, 2013 05:34 PM 

To: Tavenner, Marilyn (CMS/OA); Snyder, Micheite (CMS/OA); Chao, Henry (CMS/03) 

Sutqect; Follow-up 

Hi Marilyn, Michelle, and Henry, 

After talking with Henry and team, i spoke with Mark about the logo issue, and explained why atterripting to add logos 
for October 1 is extremely unwise. He understands. He may want me to get on the phone with someone from the Blues 
so they fully understand it. Tm more than happy to do so on your behalf - this issue should not consume any more of 
your time, 

Marilyn, I'm also going to visit with Henry and team for one of our evening deep-dive sessions to get up to speed on the 
latest status of IT and testing - during the week of July 8. Michelle, Henry, and t had a check-in call today, but I think 
that Henry is right that to really understand current status and next steps, there is no substitute for an evening deep- 
dive. So }'i! bring healthy food and snacks to Baltimore and camp out with Henry and team for a few hours © 

All the best, 

Todd 
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ACA rr Exchange Steering Committee Meeting Minutes 
May 17, 2G12 


Meeting Minutes 




ACA IT Exchange Steering Committee 

Ron RHS ?MO 

233 EEOB 




Steering Committee Co-Chairs, Executive Office of the Presidfeuti i 

• Steven VanRoekel ^ ^ 

• Keith Fontenot , ^ '• 

• Todd Park ^ ^ 

Steering Committee Members: 

• Frank Saitman, HHS ‘ . s ' 

• Aian Constantian, VA . 

• Terence MiihoNand, IRS " . , 

• Beatrice Disman, SSA 

• Donne Andrews, Peace Corps , ■’ 

• Donna Roy, DHS - Not Present 

• Marilyn Tavenner, CMS -Not Present 

• Robert Carey, DQD— Not Present 


Maryann Rockey, DODj Tony Trenkle, CMS; John Teeter, HHS;. 

Lam, 0MB, Ronald Thompson, HHS, Tim May, SSA, Chnstf Dant, HHS, Jason 
Levitfs, IRS; Gina Garza, iR5; St3Ccartlo Washington, IRS; Monique Outerbndge> 
CMS; Marty Pippins, IRS; Usa Schlosser, 0M8; Jeffrey ReczekvOMB; Alisa 
Plakon, 0M8, Kathryn Maitm, OMS, Tyler Overetreet, 0MB, M. David Rice, OMS; 
Knstin Rzeczkowski, 0MB 



Key PotntS'Plscussed I 

No. 

Topic 

Highlights 

1 , 

Charter 

■ Comments incorporated. Still needs to be signed. 

2. 

Executive Secretariat Updates 

: Workgroups are coming together. PaDS & Security have met 
twice. Exec Sec & WG leads have daiiy calls. Not ail 
workgroups have representation from all Agencies (See action 
items 1 & "i below) 

3. 

Workgroups Reports 

, Privacy & Data Sharing (PaDS): Tim May briefed on 
status of combined federated ID management soiution. 

Identity Management is a part of the package and is designed 
: around NSTiC policy’ standards; also driving toward 
: coordinating one unified review with the states, using one set 
; of documents. 


1 
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Key Points Discussed I 

I No. 

Topic 

Highlights 


Workgroup Reports cont. 

Security Harmonization (SH); Janet Miner provided 
Ecosystem presentation developed between CMS & 

IRS that can serve a$ basis for federated model. 

Holistic eco-system view will be developed including ail 
federal partners. One early byproduct of WG collaboration is 
an interest in collaborating on oversight, combined site visits | 
for auditing. 



Operational Oversight (00): S5A requested that Hours of 
Operatfon (24/7) issue be fast tracked for resolution before 
end of June. Keith Fontenot suggested that a Service Level 
Agreement might be a starting point (AI-8). The workgroup 
needs additional membership and will prioritize this and the 
completion of the integrated critical path development (AJ- 

4. 

Integrated Critical Path Development 

Steering Committee co-chairs reinforced the need to develop 
integrate critical path ASAP. Monique Outerbridge (CMS) 
described a number of existing efforts nearing completion 
that will be used to inform this deliverable (AMO). 

Todd Park reiterated the need for knowing what the critical 
path deadlines are, to not exceed those deadlines, and 
engage in a very high level of intensity and effort to assure 
deadlines are met, i 

5, 

Discussion on Next Steps 

Meeting Frequency: Monthly standing meeting wii! be set. 
Scheduled will be revised as appropriate. Duration: Through 
2014. 



Action Items 



No. 

Action Item(s) 

Owner 

Target Date 


Previous Action Items 

, 't' ■- 


AI-1 

Agencies to provide points of contact for both 
Security Harmonization & Data Sharing and Privacy 
Workgroups 

SC Members 

Overdue 

DOD 

^^Executive 
Secretariat 
requested 0PM 
representation 


Combined Security Harmonaation & Data Sharing 

PaDSSSHiVG 

Completed 


and Privacy Workgroups to hold first meeting 


s/3/12 

AI-3 

Workgroup co-leods attended NASCIO/CIO Council 
meeting 

P0DS& SH WG 

Completed 

S/9/12 

AM 

Agencies provided points of contact for 

SC Members 

Overdue 
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This CQuid result in multiple awards to support these requirements geographicahy. 
Question: Will this contract support States enrolled in Slate-Based Marretpiaces 
iSBM} or just States enrolled in the federally-Facaitated fvlarketplace IFFM) and State- 
Partne-shtp Marketplaces (SPM)? 


; B. Navigator Grants 
Status: 

I * Navigator Grant FOA vras released on released fuesday^ 4/9. 
I • Grants are scheduled to be awarded m August. 


4 Ivtern-, 


Agencies Requesting Funding 

We've received the ioliowing requests for funding: 

o 0PM; $76,000 initial build& $16,000 a year for maintenance 
c> VA: $700,000 (0,1.2 pertransaction fee) 

Iota! knovrn 2013 costs are $775,000 and future annuel estimated costs are $716,000 
(assuming transactions don’t increase drasttcaily - we don’t have an estimate of future 
transaction levels). 

DoD may request funding as welt but wc haven't received a forma! request. 

There was a prior decision to not allow these types of request for funds. We have no idea 
if we ll receive similar requests In the future. 

A decision on whether or r?otto uphoid the prior decision is needed befo.'e we can 
proceed. 


: B. Issues Being Negotiated with IRS 

i • Todd Park has agreed to facilitate discus-siens between CMS and IRS to get several 
outstanding issues resolved. CMS’ issues are; 

a 10 Proofing (Shared Secrets)— Replace the Adjust Gross Income (AGl) question with a 
question related to whether_or rw^a tax refund w as received in a specified tax y ear 


M^rketpiticcrActivi'i'-as— 4/5/2013 


.’’age 6 
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Message 

From; Park, Todd [Todd_Y_P 3 rk@ostp,eop 40 Vj 

Sent; 6/26/2C13 2:03:17 AM 

To: Snyder, Michelfe {Oy5S/OA) {/O^^HHS EES/OU==First Administrative Group/oi=Rftcip5efit£/cnaMicheiie-SnYder.CMS]; 

Chao, Henry (CMSA^IS) HS EES/OU=:FifSt Admlnistratt've Group/cnKRec’pients/cn«HenrY Ch30.CS] 

Subiect; RE : Draft writeup 


Is it pcssib'e to get any edits/cofrections/additiGnal dstaif by COB Thursday? 

Would love to loop back with Jeanne and Mark on Fnday before I head out for (an attempted) vacation from July 1 to 
July 5. 1 gave jeanne a heads up today to telo,©aph \\ihat*s coming. 

t think that the key wdl be to give ieanne and Mark e bulletproof set of talldng points they can use tc push back in their 
conversations with ti-se Slues and have ^le Blues truly understand why the logo plsy is s bad idea right novv^, fl cfcn't 
tj^ink the Blues rea'ly underslajid that vel). 


FrcMir: Snyder, Michelle (CWS/OA) [niailto;MicheJle-5nydsr@c!ns.hhs.c’av] 
Sent Tuesday, June 25, 2013 5:48 PM 
To: Park, Tc^ld; Chao, Henry (CMS/OIS) 

Subject: RE Draft writeup 

loobgood.,., 

A. Michelle Snyder 

Deputy Chief Operating Officer 

DHHS/CMS 


Fronn: Park, Todd [ffl9iftQ:Tgdd_t-.P.Sr.k©3^ 

Sent: Tuesday, June 25, 2013 1:13 AM 

To: Chao, Henry <CMS/0IS); Snyder, Michelle (CMS/O.A) 

Subject: Draft writeup 

Please keep do.se hold -• loop in folks who can hdp with the details, but don't circulate broadly yet, if you don^t 
mind. Let me know if this sounds right - any corfections/edits/additions/deietions welcoTre: 

Attempting to Integraf e logos Into the FFM 'or October 1 is not advisable. This is not because the act of integrating a 
logo is by itself a difficult thing to do. it's because the process for collecting health plan and product data from carriers 
via templates, loadi ng these data Into the HIOS system, validating the data, transferring the data from HIOS into the FFM 
QHP database, and having the rating engine retrieve and render that data In the HFM has been locked down, and is 
being utilized to support plan data collection/validanon and system testir\g as we speak. Changing the underiying plan 
data template and processing routine nght now - by adding a r»ew plan data element, the logo — during the crunch-time 
sprint we're in from now to October 1. would introduce significant risk. Think of it as trying to change a gear in an 
airplane engine in mid-flight. Or adding a new field to ar^ IRS tax form in the middle of filing season. .As an isolated act, 
adding the field isn't hard. What's hard is the notion of adekng it to the tax form via s syst em modifi^attor, when that 
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system is going through an intense time, with a lot of moving parts involved, and where a wrong move could actually 
screw the whole system up. 

An alternative to changing the core plan data submission/management process and systems (i.e., modifying the carrier 
plan data templates, HI05, the Q,HP database, and rating engine logic) would be to set up a database of logos outside 
this core data management process and have the FFM system, when rendering a given Insurance product, pull from 
both the QHP database plus the logo database. This Is a terrible idea technically, would be prone to error, and still 
creates the issue of mucking with the ]et engine while it's in flight. 

The right way to add logos to the FFM would be to modify the core plan data submission/management process and 
systems to include logos as part of the carrier plan/prodoct template and be able to process logos all the way 
trough, This is not doable for Oct 1 without introducing significant operational risk to the go-itve, as discussed 
above. We suggest considering it as part of a future release, post October 1 -- understanding that it will have to 
compete with a lot of priorities. The reasonable thing to do would be to target making this modification in time for the 
next cycle of plan bids, in 2014. 
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Fromr 

Sent: 

To: 


Cc 

Subject: 


f 'iX)bertxare^#' 


'Debbi-Russe!l@| 

1 ' Scblosser, Lisa; Rice, Dave; 


Fontenot Kerth X 
Friday, March 08, 2013.%19 PM ' 

VanFbeket Stevei? Na^Todd* 'dtosrjtsyi 
'Frank,Baitmail®||Q§||||; ’M»^.Tav&iner@j 

’Tererk:e.'V.Miiho!lanc<9^|^|^ 'AlaruOanstantiani 
Overseer, T^er Ple-R^oo,. A8^ Martia Katiiryn; Reczek, Jefft Tran-Lani, Minh- 
Hat; Reilly, Thomas M,; *Paulai=riedman#(||||^j||P *M^Justfe@i 
T.^onlque.outerbridge^m|^^|||m; ‘^T^.t'enide#| 

'henfv.id«o^pBR!3pP‘ •Sar^H.InQranKSH^j^ ‘iam^1cerr@j 
'Silvana.G.Oarzai^l^^; 'Miche!le,Snyder^[|||||||^ 'Christi.i^nt@) 

‘rebecca.gv.fllt@:||||||||^m|; 'thoma$:5dianlcwelEer@| 
‘7imothy.Montc:;ecn2©mgH;'MaribshFraney@] 

‘Se!erra.Hur»n@JB3P|: Wjiiiams, Ross;'Defara.McKeldml@|_ 

'MarttaL.Pippins @0|;' Merie.fownleyii'JI^^U 'BryarkSfyak# 
Tah^er{r^.£LiV!ngsrons§)|||||||||||^^ RaEcz|usy,^k!, iO^tin; Lynch, Laura; 

Graubard, Msflart; 'Danieile.Sivens-® 

'EVEUNE.RESURR£CGQN.cti-© »jSl| 'Eiizabeth.Callaghan@i 

’donna.landis® 






'A(tcla.CavBnaugh©||m 
'Ronafd.Thompsqn@m 
'5taccardo.twashingroni;g 
’BennstLblodgett^ 

‘Oavid.BovvenS 
'car]a.clark@ 

Rzeczkdwskl Knstin 

Restructuring of the Affordable Care Act Informatiani Teclindlogy Exchange Steering 
Committee 


IH: 'cathy.keating®] 

'sandra.kraft©] 

'susan.mcnailyra»JggH‘*Glta:Uppa!-@] 
’jcanne.wal5h©|||^§; 'iadynJandls@§Hi 

‘Wand3J.Brov\'n2@H^2BI ' 


Steve, Todd, and I established the executive 17 steering committee (ITSC} to bring your agencies togetherto facilitate 
p«3gress on kay lssUes of concern and help resolve roadblocks associated withExchange TT impfementatipn- Nqw diat 
'States have made fina l decisions to use a Federal, Partnership, or State -based Exchange, we need to optlrriize use of 
yourfimd and mate tre iTSC and workgroup rheetlngs as efficient as possibie. To this end, we will restructure ITSC (sy 
implementing the folfowing dianges immediately: 

Meeting Schedules 

' There will be monthly ITSC meetings, with option to cancel If necessary. 

■ Agency membership will notchange, but meeting attendance will only be mandatory foragencies that are Involved 
In selected agenda topics. 

Ad hoc meetings with key agencies on specific issues will ojntinue. 

• IT Exchanges workgroup and su b-workgroup meetings and activities will continue. 

Streamlined Coordination 

• The Centers for Medicare and Medicaid Services (CMS) will provide an agenda and relevant background materiais 
24 hours in advance of each (TSC meeting which wjH serv e to update the committee on progress, scheduling, and bring 
any obstacles, sources of delay, or similar issues, as wrell as recommend3tions,.to the committee's attention. 
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• !TSC meeting agendas wili focus on indtviduai m3j<»'£)(changefuncdtms (e.g .. Financial Management, Edgibilltv and 
Enfoliment, etc.) and how each relevant agenq'^ Is preparlngto "go !lve.^ Topics discussed wit! include issues In need of 
resolution or specific updates requested by ITSC chairs. 

Pre and post meeting materials should be prepared only lf hecessafv or when materials are spedficaliy requested 
by the rrsc chairs. 

The primary responsibility of the Executive Secretariat, led by the Department of Health and Human Services 
{HHS|, is to support the workgroups and sub-wforlrgroups. 

Partidpatmg agertcles Will identify one point of contact to escalate issues to the ITSC chairs within 3 business days 
of issuance of this memorandum. 

o Agencies should attemptto resolve issuespriortq escalation to O'SC chairs, 

o ITSC chairs established a distribution list for direct escalation. Emails should be sent directiy to me, Steve, 
and Todd with cc: to Minh-Kai Tran-Lam Reczek snd Alisa 

Ple'Piakon ^ ensure expedited responses. 

We anticipate that these changes will fac illtate effidentand effective ITSC meetlngs in thefuture. Thankyou for your 
dedication to ensuring the successful Implomentetion of the Health Insurance Marketplace to improve access to quality 
affordabie health care coverage across the nation. 

Keith 


2 
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ACA IT Exchange Steering Committee Meeting Minutes 
November 29, 2012 

Meeting Minutes 



xc’)a''ge Steering Committee 

Jaiu --v 20i3 ^ 


mp'-on, HHS PMO 

aOOAV- i o^m ' 


....^.v, EUenhowerRoom 

it'h*evHrrHHSra“^ 

ig CorrmitteeCo^Chaifs, Executive Cfnce the President’ 


^ • Ke.tn Fontenot 



•: • Steven VanRoefsei ' 

• Todd Park ' ' ; ' 

Stoer.ng Comm'ttec Mem&ors* 



■'' • A'an Oanstantian, VA 



' » Beatrice Dtsman,. SSA 



• i Kelly Croft SSA 



;: • Robert Carey, DQD ’ - 

> 'v X ' • > ^ 


• Frank Battman, HHS __ _ o''t'" 



• Tony Trenkie, CMS 

■ 



S. . ' , X , 


•CMS: Henry Chao. Mor!beL.Fr3.neyi:.Vi<miqus.Outerbr)dge; JffT) KemoTom Schamcweilcf /Rebecca ; .. - 
^Swfit, Aa'on Wesoiovwtti t, ^ ^ 


DHS: Donna Roy ■ -:•, 



■DoD; Mary Kay Justi5; CapCMargaretBeaubien^ 



HHS. Ron Thompson Chniti Oant, Wayne Dastm Selena Hunn, Asnley Hih, Claudia Williams^ 

V 1 A ,* V m 4 w 

Bryan Sivak •.• .•"■•. . . s. •.. 


•Ml Ijk • ’ ^ l,ll • X ' : 

IRS: Marry Pippins, Wanda Brown, G-n? Gar^a,. Cathy Uvihgston > ~ v 


OMB; Katie Martin, Mmh-Hajr Tran-lam, tWfrpy Rectek, AlKa Ple-Plakon, £>avid Rice, ler 


Overstreet. .... '''; •■'•.ri .. 



OPM.’MerteTowntey t- ’" . ' 

. 'S "T . 


SSAilimMay ''.V "' "'" v '-.-' 



VA:(StaUppai ' ' .=r' 





Key Points Discussed 

.'.-.■''Nd'::--’' 




Opening Remarks 
and Roil Call 

0MB has been working at accomp’isning the requests from the previous SC meeting. 

Toe meeting's agenda Inciudes: key updates. Security and Privacy updates from Tim May 
and Rebecca Gwiit, Operations and Oversight updates from W'snda Drown and Monique 
Outerbridge. a CMS tlmeiine update from Maribe.i Franey, and identdication of 
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PplOts P'fscuSsed 


Topic j . . • . Highlights 

; decende.TCJfiS *rom consent. _ 

i Workgroup Updates I Marilyn Tavrennef has been engaged in the consent resQiution conversations. 

• Details cannot be fiushed out until these com'ersations are comptete. 

■ CMS has been ordered to awsit the completion of these discussions before 
determining the necessary changes to the baseline scheduie. 

Todd Park has bee.n engaged in discussion on,,NlST Level 2 intcr-mechanics. 

• CMS is moving forward with fE^lou^Ing^ms process, which represents SSA's 

understanding, as well. ' 

i * SSA is interested in untierstahdWg/Aedownstream irrspact on the avprali 
I integrated testing, as well'Mthe tifriS!0% 


Scheduling 

• Highe.st risk to imptementation associated witb -awaiting the high-level decision, 
as oaaosed to Duiltteigfor tne vsrorst case scona'-o* 

o Broad risk; S<*edule and;^plement3tion nskswoujd be the largest 
' •iTLfccona’ms. Thescheslale'.|>fesents a nsk of a 2-^ week delay, 

p-si^itheteam must agree that the schedule risk is a priority and must find 
'■'Ways to feti'ieve the ’osttime from other areas, 
o Itls^uncicarss-towhom the-Sccrotary -.s, in discussion with or what the 
statusof the d scassttm iS 

.4’. o Teams.thi5c^tutherewoold-be simultaneous development between the 
legai issu^afjd the IT build as the higher level issues were being 
V- ^ addressed.'TJie interagency team is not in fui! agreement on this issue. 

I _ f -o Oavid BlacRWOuid i ke the -eams to continue making tochnoiogy 

I \ ^ o'-egrejs 

Clarification: Identification Proofing vs. Consent 

i . -ei ii. Conservtts a ieea! issue, whereas, identity proofing is 3 solution and process that 
I -'cs needs to be estcb;)shed, 

[ • icSSA IS relying on the Privacy Act for iegai authority on iO proofing as there is 

1 ^'-none orovided in tne Act. 

I cu'rcntiy wo'-'Cihg this issue. 

o Identity proofing woo'd oe bjiit in as a process for verifying an 
j ^;r individual's identity. 

I • Previous decision to use two IRS challenge questions at the threshold has been 
roconside'ed and is currently being dheus-sed. 

• Suggestion: A smailer group of key indViduais may need to reconvene on this 
topic in 3-4 weeks ir^cluding Mariiyn because of her involvement vrith the 

! scheduling. 

1 integrated Project Plan 


The tPP needs to be addressed before focusing on the schedule 


ACA Excha.nge IT Steering Cornmittoe Meeting Minutes, p. 2 
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Key Points OIkus^ 




Hi ghlig hts 




There is some ambiguity bstwecn teams on day to day iPP controi 

The majority otthe current schedule belongs to CMS (80-90%) n'laking it seem as 

if the majority of tasks beiong to CMS 

Q CMS is unclear If other agencies are on the schedule and if there is an 
integrated process. 

o CMS would like other agencies to be i.nvoived to the point that we can 
see the integratfon, focusingifen agency invoivoment in the design, 
development, and/or tesb^i5i;:phases. 

e Unless everyone is opei^iiog off of the CMS schedule, scheduling should 
be dependent on-ihefPP: Garrentfy not all are operating from the CMS 
schedule 


Eligibility and Enrollment' 












Issuers have to submit-'QHPs on March 28, 2013 

o Goal: QMS's ssfterussion-is^bnng in two orfhbre multi-state plans per 
w;th an mcf«3Se'.i»:€verv state over time.''' ■' 
a\t«;_Th«ipbjectfve was to contract and iease to devetpo software that will 
:<aUow mulfc-state plans to^present their different qualifications, allowing 
0MB to assesS'-and submit information to the system, 
o Phas® oftheappl®3bon: ^4^;- 

• Phase I. feb 1- Applications due; 

2: March iS - Review begins; 

Phase 3; May/June- Creation of answer set (a difficult 
prot^m, information goes to FFE via HIOS); 

Not addressed. 

Best. course of adStwit.- 

>^>~..rhe first concern with schedulmg is mseting the March 28, 201.3 date, 
\-.{he other -issues niay be consent etc., but March 28th is fast 
approaching and nas not oeen talked about in the meetings yet. 

0 The apencies responsible for bund and process compone.nts that impact 
the March 2S'h date should cone together, they can inform 0MB of 
whatisgQi.ng on. 

Need to determine what the key dates are, then build progress and 
identify roadblocks for each involved agency. 






0MB Concerns 


Use of Steering Committee Meetings 

■ OMB would like unresolved interagency issues to be elevated during these 
meetings 

o SC meetings are not Intended as a venue for reporting standard updates 
but rather a piace to seek help on interagency roadblocks 
o The SC meetings should help maximire the productivity of delivery, 
o The meeting schedule ca.n/should be utilized according to necessity. 


ACA Exchange IT Steenng Committee Meeting Minutff.s, p. 3 
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•Key Points Discossed 


No __ T^oK I __ _ _ 

; I • Onfyhoid meetings when nesd be, Otherwise it is permissible 

! to cancel the standing appointment. 

■ 0MB wants to know from itie interagency tearp.s how 0MB can 
, do a better job of helping solve relevant issues and meeting 

with the team. 

i • Tnelnterageocy team would like tn come back to 

OMB with.a proposal on tiu-: best way to raise 
interagency ‘ss-i-s that need their hoip in order to 
'each denchma^-KS. 




. -;A<:^on Items from 1^11/13 


i No. : 

Action 

ltem(s/ 

Owner i largotDato 

i 1 I Produce a document for sc doiatiing how they woud benefit i 

inte^agenev tc.)-n 2 3 weeks : 

i from OMB assi.stance and n"t‘t 

t-nc mtne future. 




ACA Exchange IT Steering Committee Meeting Minutes, p. 4 
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To: Couts. Todd (CMS/0{S) (Todd.C-ou{s1@cm 5.hhs.ffl3v) frocM.CoLrts1@cms.hhs.gov| 

Cc: Ca(erT}, M ark (CG? Federaj)[ Martc.Catem|MM|Ml: 

l^dera»)[P3u!.Wass(|B0MHHBB[|k 

From; Mananibetdu. L^kstiml (CGI Federal) 

Sent Fri 7/12/2013 6:11:47 PM 

Si^gect RE: Need a wrfte up for Todd 

Day One Capabililigs - Pftonty and Rti>k - 2C13071 2 docx 


Hi Todd, 


Attached is whal I iiave for E&E. You may be able fo extract fie major ones from this, 
folenns of olber major miiestoccs between Oct 1 and Ja«2014 are; 

- Kuroilment RccoociHatron - December 2013 

Exemptions Applications — December2013 
Payment lo Issuei^ - 3*^ week of January 20 14 


Thank you 


Lakshmi Uanambedu | Vise P^eskient CGI Federal ] Mo{»te;|| 


From: Cheo. Henry (CMS/OiS) [mailte;henry.chao@cm$.hhs.gov3 
Sent; Friday. July 12. 2013 12:58 PM ___ 

To: Manarretedu, Lakshml (CGI Federal): Kartlon Kim Donohoe, Paul X. (CMS/01S); 

Couls, Todd (CMS/OiS); Rhones, Rhonda D. (CMS/OIS) 

Cc: Oh. Mark U. (CMS/OJS); Berkley, Katrina (CMS/OIS); Couts, Todd (CMS/OiS); Rhones, Rhonda D. 
(CMS/OIS); Grothe, Kirn A (CMS/OIS) 

Subject; Need a write up for Todd 
Importance: High 


This is for sourees material for Todd Park to pick nuggets from m his prep few briefing POTUS 
next week. 


So the WTite-i^ which are senteDcc(s) in bullet forml needs to cover: 


Contains Ssnsitfve and Proprietary Business Informaibn • Maintaki as COTfidenUai 
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♦r iTTOrn llie A-Z of resting by partner (Issuec, # of Issuers, State programs, types of 
Markelplacc-, approach (waves, harness, DE, S34/<sr£^lmait, etc .), and high level schedule. 

•rOirrrJiI] Ovcrali list of key activities to be acctxnplished and lisbs for Day one (remarabg 
SO days) and Day ones for other miyor lifts prior to Day mie of tlje benefit and the start of the 
benefit. 


Please use maieiial we have already like tbc deck- that we used for SVR and updated another 
version for Marilya-'OL a few' days ago. 


Remember that bullets should not be wnacn to be used to create more questioos. 


RhfM\da and Todd— please collect, ibnnat, and send to me by COB today. 


Heory C^ian 

I>=puty CtO ^ Deputy Director, 

OStet of fiifarnffition Services 
Ccnt«s ibr MwScare & Mcdicairt Services 



Contains Sens'itrv’s and Ptcsjrtetary Business irtformation - Maintain as Confioentirf 
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Message 

From: Park, Todd [Todd__Y_Park|Sostp.eop.govJ 

Sent- 9/3/2013 11:06:25 PM 

To; Trenkle, Tony (CMS/OIS) [/0=HHS EES/OU=First Administrattvc 

GrOijp/cn=Reciprents/cn=tonv.trenk}e.cms42Q98130]; Baitman, Frank (OS/ASA/OCIO) [/0=HHS EES/OU=EXOMNGE 
ADMINISTRATIVE GROUP {FYDfBOHF23SPOLT)/CN=REaPIENTS/CN=Frank.Ba)tman.OS]; Snyder, Michelle (CMS/OA) 
[/0=HH5 EES/OU^Fint Administrative Group/cn=RGdplents/cn=Mlchel!e.Snydef.CMS] 

Subject; Fw; CyOersecu'ity points 


Tony, Frank, Michelle, thoughts on Ed joining our 10 am ca11 tomorrow, and then talking with him 
afterwards briefly? One point to discuss with hisn is Frank's very good point that we need to walk a fine 
line publicly -- showing we take the risks seriously but also not baiting hackers into attacking. 

Also: it was part of the outline for tomorrow’s call, but just wanted to follow up on if we can get some 
external validators to be references with respect to CMS's general cyberdefenses and approach to 
cybersecunty -- again, in the context of the walking the fine line above.... 

Thanks so much, 

Todd 


Original Message 

From: Siskel, Edward 

sent; Tuesday, September 03, 2013 05:14 PM 
To: Park, Todd 

subject: FW: Cybersecurity points 



Original Message— -- 

From; lennings, Christopher 

Sent: Tuesday, Septe-mber 03. 2013 4:33 pm 

To: Siskel, Edward; McGuinness, rare; uambrew. Deanne; Park, Todd 
Cc; lonss. Isabel ; 'aryana.khaiidOcms.hhs.gov' ; 'Michelle. snyderOcms.hhs. gov* ; 
‘Tory.trenkleOciBS.hhs.gov'; 'frank.baitmanOhhs.gov'; Graubard, viviar 
Subject: Re: cybersecurity points 



Chris 


Original Message 

From: lennings, Christopher 

Sent: Tuesday, September 03, 2013 07:12 AH 

To: Park, Todd; siskel, Edward 

cc: Lambrew, leanne; lones, Isabel; 'aryana.khaliddcins.hhs.gov' <aryana. khalidScms . hhs .gov> ; 

' Mi chel 1 e . snyder^cms .hhs .gov' sHichslle . Snyder^ms .hhs .gov> ; ' tcny.trenkl eScms . hhs.gov’ 
<toriy.trenkle®c.i;s.hhs.gov>; 'frank. baitmanOhns, gov' <frank.ba1tman®ihs.gov;»; Graubard, Vivian 
Subject: Re: Cybersecurity points 
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for this backg^o^.^d and, raors importantly, your great work to protect os from cyber attacks/secori ty 
threats . 

Chri 5 

Original htessage 

From: Park, Toed 

Sent; Tuesday, September 03, 2013 01;3S AM 
To: lennings, Christopher 

Cc: Lambrew, Jeanne; Jones, Isabel; 'Aryana.KhalidSciis.hh5.gov' <Aryana.Khalid(lcms.hhs.gcv>; 

‘Mt chel le . SnyderQctas ,hhs .gov' <Mi chelle .Sn^'der@cms.hhs.gQV>; ’ tony, trenkle^crris . hhs . gov' 
<tony.trenkle®cms.hhs.gov>; ’ frank. baitman^hhs. gov’ <frank .baitmanShhs .gov>; Craubard, Vivian 
Subject: Re: Cybersecurity points 

H1 Chris, here are an expanded/updated set of buHet points from Frank and Tony: 

Like all publicly facing Internet websites, whether Amazon, Bank of America, or Medicare, we see 
regular attempts to infiltrate and test the security of our systems. We take these threats seriously, 
continuously monitoring for inappropriate activity, and adjusting our defenses accordingly, 

-- The centers for Medicare and Medicaid Services (CHS) has a history of preventing major breaches 
Involving the loss of personally identifiable information from cyber-attacks . CMS faces unique 
challenges in maintaining a strong cyber security infrastructure because of its decentralized IT 
infrastructure and heavy dependence on contractors to perform most agency functions. To deal with these 
challenges, CMS has established an information security program with consistent risk management, security 
controls assessment, and security authorization processes for all enterprise systems. The security 
controls established and implemented by CMS meet existing Federal standards. 

-- CAS has implemented a Security Operations center (soc) to provide additional monitoring capabilities 
and has been an innovative leader in using state of the art continuous monitoring tools. These tools can 
remotely scan the IT assets of CMS systems to ensure baseline configurations are up to date and compliant 
and that deviations are quickly identified and mitigated. Additionally these technologies have the 
capability to detect unknown or '’ogue hosts which are quickly identified and blocked. CMS has also 
implemented a penetration testing program to scan CMS systems to identify vulnerabilities and reduce or 
eliminate potential risks from external threats. 

-- IT security for the .Marketplace presents additional challenges because of short timelines, high 
visibility, multiple Federal and non-Federal partners, and new complex systems being built to support the 
progr-am. CHS' information security staff have been working closely with IT development teams to help 
ensure that all required security testing is completed. Test results will then be reviewed by security 
staff: when the results are determined to be acceptable, an Authority to Operate CATO) will be issued. 
The ATO is signed by both the cms chief Information officer (CIO) and the chief information Security 
Officer (Cl SO). 

-- CMS is working to ensure that all security testing is completed and atos are signed before October 1. 
A signed ATO signifies that the systems are operating at an acceptable level of risk and will meet tough 
Federal security standards, once the Marketplace opens, CFJS will utilize state of the art monitoring and 
surveillance tools to be able to quickly detect and deal with potential threats. CMS is also working 
closely with HHS and other public and private sector security experts to get additional technical support 
for the Marketplace program. 

-- The U.S. standard for designing the Information security program and responding to associated threats 
has been developed by the National Institute for standards and Technology in support of the Federal 
•Information security Management Act. FISKA has emerged as t.ne gold standard for information security 
standards and guidelines across the globe. 

-- OMB has mandated the use of NIST standards for all federal civilian agencies, including HHS. HHS has 
developeo a robust Information security program across all of its operating divisions to ensure that the 
information security posture is robust and responsive to emerging threats. Working with the US-CERT at 
the Departnient of Homeland Security, hhS ensures that threats to Information assets and networks are 
addressed and mitigated as rapidly as possible. This situational awareness and real-time mitigation 
activity embrace the newly la;j.ncned systems 1n support of ACA through the coordination and collaboration 
mechanisms now in place at the Department. 


— Original Message -- — 

From: Jennings, Christopher 

Sent: Monday, September 02, 2013 02:43 PM 

To: Park, Todd 

Cc: Lambrew, Jeanne; Jones, Isabel; 'Aryana.Khalid@cins.hhs.gov' <Aryana.Khalid@&’n5.hhs.gov>; 

' Mi chfille . SnyderSems. hhs . gov' <Miche1ls. Snyder@cms. hhs -gov> ; ' tony. trenkleScms . hhs . gov' 

<tcny. trenkleScms .hh5.gov>; ' fraak.baitman@hh5.gov' <frank.baitinan@hhs . govp; Graubard, Vivian 
subject: RE: Cybersecurity points 

Thanks Todd, And thanks Tony and Frank; would appreciate having as soon as is possible (with my 
preference, not surprisingly, being tonight before my stressful morning starts). Having said, guys, r 
win take what I can get when 1 get it with gratitude. 

Chris 
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original Message 

Frcm: Park, Todd 

Seat: K'Onday, September 02, 2013 2:19 PK 
To: Oennings, Christopher 

Cc: Lambrew, Jeanne; lores, Isabel; 'Aryana.KhalidScms.hhs.gov' ; 'Hichelle.SnyderScm5.hhs.gov': 
'tony.trenkle©cms,hhs.gcv' ; 'frank.be1tman@hhs.gov'; Graubard, Vivian 
Subject: Re: Cybersecurity points 

Hi Chris, 

Tony and Frank will send you today an additional bullet point(s) regarding how the Federal Information 
Security Management Act (FISMA) and other legislation specific to Federal agencies has CMS and other 
agencies adhere to higher standards and go through a more rigorous level of assessment than is typical in 
the private sector. 

Tony and Frank are also pulling together additional info on track record of defending against attacks, 
■working with their info security people — they are tracking folks dov/n today and will seek to get you 
additional info by tonight.... But if it turns out they need until first thing tomorrow morning to get 
you the track record info, would that be OK? 

cheers, 

Todd 


Original Message 

From: Jennings, Christopher 

Sent: Monday, September 02, 2013 12:28 PM 

To; Park, Todd 

Cc; Lambrew, Jeanne; Jones, Isabel; 'Aryana.Kha1id9cms.hhs.gov' <Aryana.Khal1d0ctns,hhs.gov>; 
'Miche11e.snyder@cms.nhs.gov' <Michelle.Snyder@cms.hhs.gov>; ' tony, trenkle0cms.hhs. gov' 
•<tony.trsnkle©cnis.hhs.gQV>; 'frark.baitman9hh5.gov' cfrank.baittnan^hs . gov> ; Graubard, Vivian 
Subject; RE; C>'ber5ecuri ty points 

Ol^thank^Tad^^qt^tehelpfula^ v/111 serve as placeholder 

||||^||H|||^|P||||||||||||[||||||||^^ We need to have all of this locked down for September 11th hearing; 
we aiso have to have strong message with Just'^ce, FTC, HHS and others for our enforcement event the week 
of the 16th. I know we had reference somevKhere to current federal standards and how they exceed private 
sector as well as track record of protection from attacks. Can you or someone provide that reference for 
me to bolster confidence building tomorrow’ Thanks much for all. A.nd safe and fun travels my friend. 

Chris 


original Message 

From: Park, Todd 

Sent: Monday. September 02, 2013 12:02 PM 
To: Jennings, Christopher 

Cc: Lambrew, Jeanne; Jones, Isabel; 'Aryana.Khalid9cnis.hhs.gov' ; ’Michelle. SnyderiScms.hhs, gov’ ; 

'tony, trenkleScras.hhs. gov' : ' frank. baitmanenhs. gov' ; Graubard, Vivian 
Subject: cyber-security points 

Chris, cybcrsccurity background for you The 

three are the points OIS put together previously which. I’m sure you've already seen; they are followed by 
a couple of points about next steps currently underway. Please let us know if you have any questions. 
I'll be on a lorg flight for much of Tuesday — am looping Tony (CMS CIO), Frank Baitman Chhs CIO), 
Michelle, and Aryana, who can answer any questions you have that might arise. 

-- Tne Centers for Medicare and Medicaid Services (CMS) has maintained a strong history of preventing 
major breaches involving the loss of personally identifiable information from cyber-attacks. CMS has in 
place established risk management, security controls assessment, and security authorization processes for 
all CMS systems. These controls meet or exceed existing Federal standards. 

-- CMS has been an innovator leader in the informatiDn security comm'jnity through the use of state of 
the art continuous .monitoring tools that remotely scan the IT assets of CMS systems to ensure baseline 
configurations are up to date and compliant and that deviations are quickly identified and 
miciaatsd. Additionally these technologies have the capability to detect unknown or rogue hosts which 
are quickly identified and blocked. Penetration testing is also performed on all CMS systems to identify 
vulnerabilities and reduce or eliminate potential risks from external threats. 

-- The IT systems that are being created for the Marketplace will meet or exceed existing Federal 
security standards and will utilize state of the art monitoring and surveillance tools. CMS is also 
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working closely with HHS and other public and private sector security experts to get additional technical 
support for the Marketplace program. 

-- Tony Trenkle <c^^3 cro) is convening a session next Wednesday, Sept A, with cvts, HHS, DHS, DOJ, and me 
to review (1) cur preparation for and defenses against cyberattack. (2) what our rssponse/action would be 
in the event of an attack/crisis, and C3) bow we would prosecute attackers. CMS will then produce a memo 
summarizing the above by the end of the week. 

-- As an fyi . we have also reached out to Alex Karp and team. Alex put us in touch with his top cyber 
experts -- we are slated to speak with them on Wednesday as well. 

Chris, again, please let us know if you have any questionsi 

All the best, 

Todc 
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- Application of this information security program to the Marketplace provides strong, sound safeguards for consumer 
data, allowing eligible Americans to confidently and securely enroll In quality affordable health coverage. 


From: Park, Todd 

5»ent: Tuesday, September 17, 2013 9:54 PM 
To: Santillo, Jessica; ’tQn.y.tren kletQc ms.h hs. q ov ' 

Cc: Jones, Isabel; Mielke, Dawn M.; ‘frank.bait rnani^h hs.qo v*: ' Bnan.Cook@cms.hhs.aoy' ; ‘Mic heHe.Snvder@cms.hhs.oov ' 
Subject: Re: Prev'enting Fraud in Marketplaces - WH background call v4th media tomorrow? 

Hi Tony/Frsnk, an update •" it looks like the background call tomorrow is with WH folks only, with detailed inquiries to 
be referred to agencies. 


So: white i‘d love for you to hold the time on yourcaiendars (just in case), as of this moment, you don't have to get on 

the call 


I've let Jessica know that you guys are the font of detailed knowledge on CMS/HHS cyber ar>d that I can talk to it at a 
general level only - she thinks that v^ili be OK on the call tomorrow, with detailed questions to be referred to agencies. 

Just to Inpfe check this, i will be sending around talking points tonight which (combined with Marilyn's Hub letter) 
basically represe.nt what I’m prepared to say tomorrow. Would very much appreciate your vetting of these. 

And in the event that, after reviewing rny talking points, Jessica feels like we need more on the call, we may ask you to 
attend the call after all :) 

So w'hile you are off the hook for now, please do hold the call time, just in case! 

Th-anks so much, and please stay tuned for talking points to vet, coming later tonight, 

Todd 


From; Park, Todd 

Sent: Tuesday, September 17, 2013 07:39 PM 

To: Santilio, Jessica; ’tQnv.(renkle@cms.hhs,qQv ' <to ny..trenkle@crn5.hhs.qov > 

Cc: Jones, Isabel; Mielke, Dawn M.; 'frank. baitman@hhs.qov ' < frank.baitman@hhs.oov >: 'Brian.Cook@cms.hhs.oov ’ 
< Bnan.CQok@cms.hhs.QQv >: 'Michelie.Snvder@cms.hhs.qov ' < Mtchelle.Snvder@cms.hhs.qov > 

Subject: Re; Preventing Fraud in Marketplaces * WH background call with media tomorrow? 

OK, will draft talking points and send around later tonight. And Tony, 'Frank, please confirm if you can join me on this 
background call -- again, only to participate in the cybersecurtty portion :) Would really appreciate your help :) 


From: Santillo, Jessica 

Sent; Tuesday, September 17, 2013 07:37 PM 

To; Park, Todd; 'tonv,trenkie(g)cms,hhs,aov' < tonv.trenkle@cms.hhs.aQv > 

Cc: Jones, Isabel; Mielke, Dawn M.; 'frank.baitman@hhs.QOv < frank.baitman@hh5.qov > : 'Brian, Cook@cms.hhs.qov' 
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< Bria n -Cookia! cms .h hs. qov > ; ' Micheile.Snvder@cms.hhs.oov ' < Mlchelle.5nvder@cms.hhs.oov > 

Subject; RE; Preventing Fraud in Marketplaces - WH baci^round call with media tomorrow? 

Thar;ks Todd - it your tssrn could draft the cyber talking points, that would be. very helpful Thanks so much, 


We are still working on finalizing the paper but wnll share those with everyone as soon as they are ready. 

From: Park, Todd 

Sent: Tuesday, September 17, 2013 7:22 PM 
To; Santillo, Jessica; ’tonv.trenkle@cms.hhs.aov ' 

Cc; Jones, Isabel; Mielke, Dawn M.; 'frank. baitfnan@hhs.aQv' : 'B rian.Qx)k@cms.hhs.QQv' : 'Michelie.Snvder@cms.h hs.oQv' 
Subject: Re: Preventing Fraud in Marketplaces - WH background call wnth media tomorrovv'? 

Thanks, Jessica. Tony and Fiank, can you join via phone? You'll only be asked to help with the cybersecurity part of the 
call 1 arn more than happy to deliver the primafy talking points, which will focus principally on Marilyn’s letter 
regarding Hub cybersecurity -i- the genera! points the three of us hammered out a while back. 

Jessica, are you putting together talking points for us, or would you like me to take a crack at them? 

Thanks, 

Todd 


From; Santillo, Jessica 

Sent: Tuesday, September 17, 2013 07:13 PM 

To: Park, Todd; Trenkle, Tony (CMS/OIS) < tonv.trenkle@cms.hhs.oov > 

Cc: Jones, Isabel; Mieike, Dawn M.; Baitman, Frank (OS/ASA.'OOO) < Frank. Baitman@hhs.aov >: Cook, Brian T. 
(CMS/OC) < Brian.CC)dr@cms.hhs.qo v>: Snyder, Michelle (CMS/OA) < MlcheHe.Snvijer@cms.hhs.Qov > 

Subject: RE: Preventing Fraud in Marketplaces • WH background call wtto media tomorrow? 

Hi Todd - happy to have Tony and Frank join u.s for the cyber security portion. 

On your first question - the call is on background according to ‘’White House officials ” 

Thanks verj' ntuch for making this work on such short notice. We will hold the call in EEOB 207. 1 will send 
around a calendar invite. 

Thank you again, 

Jessica 


From: Park, Todd 

Sent: Tuesday, September 17, 2013 6:14 PM 
To: Trenkle, Tony (CMS/OIS): Santillo, Jessica 

Cc: Jones, Isabel; Mieike, Dawn M.; Baitman, Frank (OS/A5A/OCIO); Cook, Brian T, (CMS/OC); Snyder, Michelle 
(CMS/OA) 

Subject: RE: Preventing Fraud in Marketplaces - WH background call with media tomorrow? 
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H) Tony, the part of the call where you, Frank, and f would be participating would focus exclusively on cybersecurity.... 
Jessica, thoughts? 


Frwn: Trenkle, Tony (CMS/OIS) rmailtortQny.trenktejSicms.hhs.qQv) 

Sent: Tuesday, September 17, 2013 5;08 PM 
To: Park, Ttxjd; Santillo, Jessica 

Cc: Jones, Isabel; Mieike, Dawn M,; Baitman, Frank (OS/ASA/OCIO); Cook, Brian T. (CM5/OC); Snyder, Michelle 

(CMS/OA) 

Subject: RE; Preventing Fraud In Marketplaces - WH background call with media tomorrow? 

Tcxid, 

i am not really camfortsfafe about participating on this call, even on background- It is getting into areas that t have not 
been involved in (privacy and fraud prevention effortsj. 


Tony 


From! Park, Todd f mailtoiTodd Y Park(Siosti>.eop.QOv1 
Sent: Tuesday, September 17, 2013 4:43 PM 
To: Santlilo. Jessica 

Cc; Jones, Isabel; Mieike, Dawn M.; Trenkle, Tony (CMS,''OIS); Baitman, Frank (OS/ASA/OCIO); Cook, Brian T. (CMS/OC) 
Subject: RE; Preventing Fraud in Marketplaces - WH background call with media tomorrow? 

Hi Jessica, i am signed up to help with the coll! Looping Tony, Frank, and Brian. Two questions: 

1. lsupportLists]--><!-[endif]->!s the call on background, or onthe record? 

2. isupportLists|--x!-f,endif]-->Can Tony Trenkle and Frank Baitman join rne onthe call? They are the folks 
who know the details, and it would be super-helpful for them to be on, 


Thanks! 

Todd 

From; Santillo, Jessica 

Sent; Tuesday, September 17, 2013 2:10 PM 
To: Park, Todd 

Cc: Jones, Isabel; Mieike, Dawn M. 

Sulgect: Preventing Fraud in Marketplaces - WH background call with media tomorrow? 
Hi Todd - 
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From: 

Sent: 

To: 

Subject: 


Park, Todd 

Monday, Januaiy 07, 2013 11:20 PM 

‘3ryan.Sivak@|||||[^m 

Re: Fwd: Consent issue 


Yes Jet's cover when vve chat tomorrow. And the 9 am meeting Is the ACA Steering Committee m^(WHJnteragency) 
that you're now supposed to be invited to,... I'ti check with Minh -Haito make sure You're invited!! 


From: Sivak, Br>'an (HHS/IOS) £ 

Sent: Monday, January 07, 2013 09:34 PM 
To: Park, Todd 
Subject: Ftvd: Consent issue 

T^vo things: iii’st, check tlte thread (keep this between us). We should probably tallc about Uiis, 
Second, do you know anytliing about a meeting Triday morning? It's not on my calendar. 


Begin forwarded me^ssage; 


From: "Baitman, Frank (OS/AS/VOCIO)” <| 
Date: January 7, 2013,21:06:31 EST 
To: "Sivak. Bmn (HHS/iOS)” - 

Subject: Re: Consent issue 


There's an ACA meeting on Friday at 9aGi. I'd thought you were put on the invite list. I’ll loolc 
into h. 


I’m told that SSA is ps'eparing some po sitlon papers that seem to indicate there arc problems with 
consent llirougb the Privacy Aci. Seems like you're hearing something else? So, arc SSA and IRS 
ou boai’d with the resolution? 


Frank Baitjnan 
Sent frofn my iPad 
please excuse my typos! 


On Jan 7, 20 1 3, at 7:40 PM, "Sivak, Bryan (HHS/IOS)” < 

I think we pretty much have k resolved although I'l! know more by mid week. 

1 don't thiuk it will really matter, but w'bat are the “additional impediments?'’ 

I 
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Also. ..what inestiiig on Friday? 1 don't have anytiung on my calendar. 


On Jan 7, 2013, at 19:34^ ‘'Baitman, Fran)< (OS/ASA/'OGJO)" 


Bryan, just vvoiidering where this stands now? Are you working it? 


Tm told tJiat CMS has gotten quiet on this, and our folks don't 
Icnow where this is going. 


From an SS A perspective, it sounds like there might be some 
addifionai impediments Com their end. 


Since we have the WH meeting on Friday, I'd like to understand 
any challenges in advance. 


Thanks, 
- Frank 
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